Page 1 of 1

how to prevent direct access to php script?

Posted: Thu Feb 26, 2009 10:07 pm
by markthien
Hi,
i store all my php scripts under /bin folder like process-signup.php. if user directly go to http://www.menggaris.com/bin/process-signup.php, then the script will eventually executed and data will be saved into database. user should go to signup.php first.
how can I prevent this situation from happening?
I am wondering like is there anyway to detect if user directly access process-signup.php instead of accessing from signup.php

Thanks & regards,
Mark

Re: how to prevent direct access to php script?

Posted: Thu Feb 26, 2009 10:43 pm
by alex.barylski

Code: Select all

<?php defined('PROJECT_LOADED') or die('Invalid Request');
Every script file that is not directly invocable should have this as the very first line. Every script that is accessible directly should then define this somewhere before including the support scripts.

Alternatively (and preferably) you should store all files (except index.php and assets) outside the document root.

Re: how to prevent direct access to php script?

Posted: Thu Feb 26, 2009 11:39 pm
by markthien
Hi PCSpectra,

I should I put the process-signup.php outside the document root folder? for example, consider the following code :

Code: Select all

<form id="signup_form" action="bin/process-signup.php" method="post">
        <input type="text" name="name" id="name"/>
        <input type="text" name="email" id="email"/>
        <input type="submit" value="submit" name="submit" id="submit"/>
</form>
 
and my document root path is /home/webadministrator/www/root/
and all my php script is under /home/webadministrator/www/root/bin
and now if I put process-signup.php under /home/websiteadmin/www/bin
how should I put the path in the html form?
and I don't think I can put like this?

Code: Select all

<form id="signup_form" action="/home/websiteadmin/www/bin/process-signup.php" method="post">

regards,
Mark

Re: how to prevent direct access to php script?

Posted: Thu Feb 26, 2009 11:58 pm
by John Cartwright
It doesn't make any sense to want to protect that file from being directly accessed. When you make the form post to this file, you are directly accessing it. By putting it outside the webroot you are eliminating access to the file from www.

Re: how to prevent direct access to php script?

Posted: Fri Feb 27, 2009 12:00 am
by alex.barylski
I should I put the process-signup.php outside the document root folder? for example, consider the following code :
If the file/script is (requires) accessible (such as a signup form) then no -- you need that within your docroot -- but any of it's included files say something like this:

Code: Select all

<?php
 
  include 'inc/functions.php';
 
  echo 'Do your thing';
'inc' sub-folder might (for technical reasons -- such as being on a share host and not having access to outside of docroot) be required to be kept in the accessible view -- in which case you would use the check I show previously inside the functions.php to ensure that script wasn't directly accessible.

Re: how to prevent direct access to php script?

Posted: Sat Feb 28, 2009 8:24 am
by josh
Set a session variable on the 1st page and check for it on the 2nd page