Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Make php files hidden from outside world

My php website have multiple php files , some of them are for user interface and some of them are helper files(the files, which communicates through database and each other to return a result). Now I need that user can't execute the helper files from their direct url's.

e.g. mydomain.com/login.php   ---------- (Interface file, must be accessible to user)
     mydomain.com/login_handle.php   ----(Healper file, must not be accessible to user)

So I need is user can execute and browse mydomain.com/login.php but must ot be able to execute mydomain.com/login_handle.php, while login.php and handle_login.php keep communicate and can access each other. Thanks,

Edit: Sorry but I'm using shared hosting and there is no folder other than public_html.

like image 417
Abhishek Bhardwaj Avatar asked Oct 22 '12 23:10

Abhishek Bhardwaj


2 Answers

The first things I would attempt:

  1. Move the included files outside of the document root

  2. Move the included files inside another folder and protect it using .htaccess. Alternatively, rename your include files to end with .inc and create a rule based on that.

  3. Make sure the included files don't output anything; this is not really secure, but if your file only contains functions, class definitions, etc. without producing any output, it would just show an empty page.

The hackish approach for this can be accomplished by using constants:

index.php

<?php

define('MY_CONSTANT', '123');

include('helper.php');

helper.php

<?php

if (!defined('MY_CONSTANT')) { exit; }

// we were called from another file
// proceed

Edit

The number 2 approach from above can be done by:

  1. Create a folder underneath public_html, e.g. includes/

  2. Move all the files that should be included only into this folder

  3. Add the following .htaccess inside:

    <FilesMatch "\.php$">
    Order allow, deny
    Deny from all
    </FilesMatch>
    
like image 147
Ja͢ck Avatar answered Nov 10 '22 03:11

Ja͢ck


Try to use .htaccess.

Instead of 127.0.0.1 this ip, you need to put your server ip address.

<Files login_handle.php>
    Order Allow,Deny
    Deny from all
    Allow from 127.0.0.1
</Files>
like image 43
Dark Matter Avatar answered Nov 10 '22 04:11

Dark Matter