[PHP] Prevent direct url typing?

[w1ww]

Hello,

How can I print an error message if the user directly types a file in the url?

For example, I want to display a error message if the user types 'update.php' on the url but I want to be able to execute it by including it on other files ('include ("update.php")

Thanks in advance!

Regards

 

[marcow]

How about putting your include files in a folder name the user will never guess, or naming them a bit less guessable?

 

[xrvel]

If user type your URL directly, http referer is empty

However, since your case is preventing "included file" to be accessed directly, i think it is a "different" case.

For example : you have index.php

include('newphp.php');
echo($hello);

and you have newphp.php

$hello='hello too';

-------- BREAK :wave: BREAK --------

We can make a kind of simple "protection". Modify your index.php

define('IS_IN_SCRIPT',1);// define a flag

include('newphp.php');
echo($hello);

and modify your newphp.php

if (!defined('IS_IN_SCRIPT')) {
   // if our flag is not defined,
   // user is accessing our file directly
   die('I am sorry, you can not access this file directly.');
   exit;
}
// else, put normal script
$hello='hello too';

 

[w1ww]

If user type your URL directly, http referer is empty

However, since your case is preventing "included file" to be accessed directly, i think it is a "different" case.

For example : you have index.php

include('newphp.php');
echo($hello);

and you have newphp.php

$hello='hello too';

-------- BREAK :wave: BREAK --------

We can make a kind of simple "protection". Modify your index.php

define('IS_IN_SCRIPT',1);// define a flag

include('newphp.php');
echo($hello);

and modify your newphp.php

if (!defined('IS_IN_SCRIPT')) {
   // if our flag is not defined,
   // user is accessing our file directly
   die('I am sorry, you can not access this file directly.');
   exit;
}
// else, put normal script
$hello='hello too';

xrvel,

I tried with

if (!isset($_SERVER['HTTP_REFERER'])){

echo "uh?"; }

else {

// The script

}

And it works pretty well! I guess will stick with this for now!

Thanks!

 

[xrvel]

xrvel,
I tried with {...} And it works pretty well! I guess will stick with this for now!
Thanks!

The referer checking works but you can not trust 100% on referer in inclusion "security" (because actually, user can modify referer),
you should use the define and defined which i wrote above

 

[Kate]

What about a .htaccess file like this:

<Files update.php>
order allow,deny
deny from all
</Files>

This should return a HTTP 403 Denied error (you should be able to customize the error pages).

 

[Peter]

do not under any circumstances rely on referer it can be forged very easily.

Either do as xrvel suggested or do the following in scripts you do not wish to be called directly:-

<?php
if (strtolower(__FILE__) == strtolower($_SERVER['SCRIPT_FILENAME']))
{
    echo 'Do not call this file directly';
    exit();
}
echo 'The rest of the script here';
?>

 

[Redleg]

xrvel's "protection" should work ok, and here's another version of it as well:
(that will send a 403 Forbidden code if you try to access update.php directly)

Update.php

<?php

if ($mysecretteststring != "my secret password") {
         header("HTTP/1.0 403 Forbidden");
         die("Access denied");
}

echo "the rest of the script down here..";

?>

Index.php (or the file that's allowed to include update.php)

<?php
$mysecretteststring = "my secret password"; 
include("update.php");
?>

 

[Daniel]

As xrvel suggested. Defining is generally a favourite way of doing this. It's what I would definitely do! :tu:

define("AUTH",1);

if (!defined("AUTH")) { 
die("...");
}

 

[Matthew.]

do not under any circumstances rely on referer it can be forged very easily.

In addition to that a few firewalls actually block the referrer by default so it's likely the script will break when it's not supposed to.

My initial thought was to use the define method (as scripts like phpbb do) and since it has been suggested more then once already before my post I would advise going with it

 

[w1ww]

I already did

Thank you guys!