|
|
Posted by Marek Kilimajer on 01/14/05 13:17
Adam Hubscher wrote:
> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?
>
> For example:
>
> config.php defines:
>
> function __autoload($class_name) {
>
> $class_name = strtolower($class_name);
> include_once('class.'.$class_name.'.php');
> }
>
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.
>
> As of yet, it has eluded me...
>
If includes/class.join.php only defines the class (as it should) direct
access is completely harmless.
Anyway, you can:
1. put includes/ directory outside of the web root
2. use .htaccess to forbid access to all files in includes/ directory
3. use this code at the beginning of every "direct access forbidden" file:
if(basename($_SERVER['REQUEST_URI']) == __FILE__) {
die('Direct access forbidden!');
}
(does not work if you give included files the same name as the main files)
4. You can test for a defined constant. Let's say all main files include
includes/config.php that defines constant DB_HOSTNAME, then you can:
if(!defined('DB_HOSTNAME')) {
die('Direct access forbidden!');
}
HTH
Navigation:
[Reply to this message]
|