Posted by Richard Lynch on 01/14/05 18:57

Adam Hubscher wrote:
> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?
>
> For example:
>
> config.php defines:
>
> function __autoload($class_name) {
>
> $class_name = strtolower($class_name);
> include_once('class.'.$class_name.'.php');
> }
>
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.
>
> As of yet, it has eluded me...

Just *MOVE* your include files to a directory that is not in the web tree.

It would then be very difficult for people to surf to them, no?

You can set *ANY* directory you want in include_path in php.ini,
..htaccess, or using ini_set to get that directory to be searched by PHP
for include files.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]