Posted by Jochem Maas on 01/14/05 15:14

Adam Hubscher wrote:
> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?

there are any number of ways to do this I can think of three of hand:

1. use a suitably configured .htaccess to deny access to the dir where
you 'include' files are.
2. place the include directory outside of the webroot.
3. add something like the following to all your include files:

if (!defined('OK_TO_INCLUDE')) { die('go away nosey parker!'); }

and make sure to define the constant before you include any of your
'include' files. e.g.

define('OK_TO_INCLUDE', true);

---
hope that gives you an idea.


oh and turning off the server also works ;-)

>
> For example:
>
> config.php defines:
>
> function __autoload($class_name) {
>
> $class_name = strtolower($class_name);
> include_once('class.'.$class_name.'.php');
> }
>
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.
>
> As of yet, it has eluded me...
>

[Back to original message]