My php website have multiple php files , some of them are for user interface and some of them are helper files(the files, which communicates through database and each other to return a result). Now I need that user can't execute the helper files from their direct url's.
e.g. mydomain.com/login.php ---------- (Interface file, must be accessible to user)
mydomain.com/login_handle.php ----(Healper file, must not be accessible to user)
So I need is user can execute and browse mydomain.com/login.php but must ot be able to execute mydomain.com/login_handle.php, while login.php and handle_login.php keep communicate and can access each other. Thanks,
Edit: Sorry but I'm using shared hosting and there is no folder other than public_html.
The first things I would attempt:
Move the included files outside of the document root
Move the included files inside another folder and protect it using .htaccess
. Alternatively, rename your include files to end with .inc
and create a rule based on that.
Make sure the included files don't output anything; this is not really secure, but if your file only contains functions, class definitions, etc. without producing any output, it would just show an empty page.
The hackish approach for this can be accomplished by using constants:
index.php
<?php
define('MY_CONSTANT', '123');
include('helper.php');
helper.php
<?php
if (!defined('MY_CONSTANT')) { exit; }
// we were called from another file
// proceed
Edit
The number 2 approach from above can be done by:
Create a folder underneath public_html
, e.g. includes/
Move all the files that should be included only into this folder
Add the following .htaccess
inside:
<FilesMatch "\.php$">
Order allow, deny
Deny from all
</FilesMatch>
Try to use .htaccess.
Instead of 127.0.0.1 this ip, you need to put your server ip address.
<Files login_handle.php>
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With