include() in php with apache auth.

Anon

Hello!

I have a main directory / with index.php and a subdirectory /admin with htaccess protection. Inside the admin directory, I have another page, hello.php to be included in the index.php trought a link.
The problem is I can include this page without authentification. BUT if I type the address in the browser: http://myserver/admin/hello.php. I have the authentification box.
What I would is an authentification with the index.php include AND the address.

It's a giant security hole 'cause I use a function index.php?url=things.php to include my pages. So if someone knows there is a page in /admin, he could insert the address index.php?url=pageinadmin.php to view everything.

Can someone have a solution????

Please help me!!! It's very important for me.

Thx a lot,

Cybix

blizzard

it is generally a bad idea to write a function like this since as you said it is a major security hole. if i were you i'd try to avoid by all means!

try to use header("location: page.php"); instead of include("page.php"); this might need the use of <iframe> tag and one additionaly php page running inside it in order to keep the page layout

you can also consider checking the requested url as a regular expresion to see whether the user is trying to access secret directories.