Menu
I have a php file that I include in my php script, but I don't want people to be able to directly run the file(without being included). How can I prevent that from happening?
452
Checking if the script is the parent of the PHP process might not be the best idea for preventing users of requesting an include file directly. But it can be handy in many other cases i.e. AJAX modules etc. I'm not gonna start a new topic by this.
if (__FILE__ == get_included_files()[0])
// Doesn't work with PHP prepend unless calling [1] instead.
if (__FILE__ == $_SERVER['DOCUMENT_ROOT'] . $_SERVER['SCRIPT_FILENAME'])
// May not work on Windows due to mixed DIRECTORY_SEPARATOR (machine specific)
if (basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME']))
// Doesn't work with files with the same basename but different paths
if (defined('FLAG_FROM_A_PARENT'))
// Works in all scenarios but I personally dislike this
if (realpath(__FILE__) == realpath($_SERVER['DOCUMENT_ROOT'] . $_SERVER['SCRIPT_FILENAME']))
// Should work flawlessly
Keep in mind some machines that use virtual paths may return different paths in different php components. realpath() is your friend for this.
105
Make the included scripts not accessible via HTTP at all. E.g. by protecting the subfolder or moving them above the document root.
If you cannot do that, define() something like IS_INCLUDED in your main script and exit; if this constant is not defined() in your included script.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
