Posted by Stan F on 01/14/05 16:08

----- Original Message -----
From: "Adam Hubscher" <webmaster@offbeat-zero.net>
To: <php-general@lists.php.net>
Sent: Friday, January 14, 2005 1:25 AM
Subject: [PHP] Preventing execution without inclusion


> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?
>
> For example:
>
> config.php defines:
>
> function __autoload($class_name) {
>
> $class_name = strtolower($class_name);
> include_once('class.'.$class_name.'.php');
> }
>
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.

A common way to do it:

# in your index.php just before any inclusion
define( '__INDEX__', true );

# in other files
if( !defined( '__INDEX__' ) ) die( 'You cannot execute this script' );

Sorry if I didn't get u the right way, I'm too tired..

WBR
Stan F



>
> As of yet, it has eluded me...
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Back to original message]