Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Protect php files from direct access

Tags:

php

.htaccess

This is what the map of my website looks like:

root:
     -index.php
     -\actions\ (various php files inside and a .htaccess)
     - \includes\ (various php files inside and a .htaccess)
     - .htaccess

I know that if I use "deny from all" in actions and includes directories, the files in them will be secured from direct access.

Now, my actions folder has many php files that are called by index.php (forms). I have "deny from all" in .htaccess inside \actions, but then I have the forbiden access to that files.

So, how can I protect the files from direct url access but have the exception that can be called from index.php?

like image 365
lmarcelocc Avatar asked Feb 16 '23 03:02

lmarcelocc


2 Answers

The easiest way is to place a constant in the index.php and check in the other php files if this constant exists. If not, let the script die.

index.php

define('APP', true);

various.php

if(!defined('APP')) die();
like image 106
Martin Lantzsch Avatar answered Feb 23 '23 20:02

Martin Lantzsch


If you want to block using .htaccess then most likely the best way of adding the exception is to add it to the same .htaccess file. If you want to prevent PHP script from working (but not from being "visible"), then simply look for certain condition (like session variable, constant) at the begining of your scripts. Unless these scripts are invoked "the right way", these requirement will not be ment, so it'd be safe to just die() then

like image 32
Marcin Orlowski Avatar answered Feb 23 '23 20:02

Marcin Orlowski