How do I make a bridge code between my javascript file and php file to protect MySQL info's?

Question

I have four files.

1. index.php "the main page" with search function that use MySQL databse. and I call the database throw javascript, client side.
2. fetch.php "contain MySQL connections info's.
3. bridge.php to cover fetch file, and I'm using php code to make the connection.
4. .htaccess file to block any direct access to the fetch.php file.

index.php<--->bridge.php<--->fetch.php<--->Mysql

My index.php file contain this code below, and because I'm using JavaScript! .htaccess file blocked index.php file from accessing my fetch.php file, javascript is "client side"

<script>
$(document).ready(function(){

    function load_data(query)
    {
        $.ajax({
            url:"bridge.php",
            method:"post",
            data:{query:query},
            success:function(data)
            {
                $('#result').html(data);
            }
        });
    }

So I made my javascript code call the bridge.php file, and the bridge.php file call the fetch.php file throw PHP language, to make all this work.

So my bridge.php file code:

<?php
include 'fetch.php';
?>

Now no one can access fetch.php directly .htaccess file block any direct connection throw the browser but if I call the file bridge.php throw the browser it will open the database! that's doesn't solve anything! what I'm doing wrong?

This is the code of my .htaccess file:

<Files ~ "fetch.php">
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
</Files>

And this is how my fetch file call MySQL:

$connect = mysqli_connect("localhost", "example.com", "passowrd", "databasename");
$output = '';
if(isset($_POST["query"]))
{
    $search = mysqli_real_escape_string($connect, $_POST["query"]);
    $query = "
    SELECT * FROM tbl_customer 
    WHERE CustomerName LIKE '%".$search."%'
    OR Address LIKE '%".$search."%' 
    OR City LIKE '%".$search."%' 

Answer 1

I think you are overcomplicating the issue or you have composed fetch.php in a way that does not help.

I'm guessing your fetch.php has MySQL functions or class code in it that you then access and use. Something like:

<?php

define('MYSQL_SERVER','localhost');
define('MYSQL_LOGIN','mylogin');
... and more ...

class DB {
   ... methods ...
}
?>

The key part of fetch.php should be the opening <?php and the closing ?>.

If you (or anyone else) directly requests fetch.php, your code should be written in a way that the result is a totally blank page.

The only overhead on the web server is the single PHP pass that will then render the blank return to the browser.

If you have written your code in another way I suggest you rethink your approach and question why you have done what you have.

BTW, adding details to a .htaccess file should only be done if there is no other way. As far as web server preformance, they are not a good idea.

Edit:

If you really want to make sure fetch.php is not directly called but only ever included in another file, you could do something like the following right at the top:

<?php

if (count(get_included_files()) == 1) {
    // direct request, do nothing
    exit;
    // or even redirect somewhere like
    header("Location: /");
    exit;
}

// has been included, allow rest of script to process
$connect = mysqli_connect("localhost", "example.com", "passowrd", "databasename");
// ... more code below