php SCRIPTS- You can not access this file

batman1056

I have a script that when run from my browser will list the full contents of the directory of that folder for the user to look at and download. this is done by access a php script file which opens up into a frame window in the web browser.

What I want to do it stop people from accessing the script directly, so if they went to for example
www.mysite.com/files/list.php
they would get a full listing of the itmes in the folder files
I only want them to be able to access this from a direct link from my main page.

I have seen a script see below, which is ran on my forum, but am am not sure how to change it to the above

aNY help appreciated.

//////////////////////////////////
if (!eregi("modules.php",$_SERVER['PHP_SELF']))
{
die("You can not access this file directly..");
}
if(!isset($mainfile)){ include("mainfile.php");}
$index=0;
include("header.php");
OpenTable();
/////////////////////////////////

this script when put on my forum stops people linking direclty to it. how do I make it so that people can not link directly to my list.php script

thanks

dankstick

Check out the environment or global variable $HTTP_REFERER, you can use this to make sure the referer is coming from a URI you specify, example on the page you are protecting...

<?
if($HTTP_REFERER == 'http://www.mysite.com/foo.php'){
//user came from the right page
}else{
//user linked to this page from somewhere's else
}
?>

Thora_Fan

you might want to use $_SERVER["$HTTP_REFERER"] instead, I think just $HTTP_REFERER is depreciated. I could be wrong however.

LordShryku

Well, it's $_SERVER["HTTP_REFERER"] (no $ before HTTP, sorry, I'm anal like that), and that is also dependant upon whether register_globals is on or off.

Thora_Fan

Thanks for correcting that, I don't think it would work if it was $_SERVER["$HTTP_REFERER"].

batman1056

so.
this script line:

$_SERVER["HTTP_REFERER"]

do I add this the the start of list.php?

or do I create another script to put on the page
the HTTP_REFERER how is this defined ad how do I make it only allow from selected page/site.

thanks for the help😃 😕

Thora_Fan

To stop a person, I would do something much like the code you originally posted:

if (!$_SERVER["HTTP_REFERER"] == "$URL")
{
die("You can not access this file directly..");
}

if(!isset($mainfile)){ include("mainfile.php");}
$index=0;
include("header.php");
OpenTable();
[/code]

Where $URL = Wherever they can come from. $_SERVER["HTTP_REFERER"] is predefined within PHP. Go to http://us4.php.net/variables.predefined for a list of other predefined PHP variables.

Hope this helps.

batman1056

problme is I am rubbish at php, and that snippet of script is liek me reading chineese. I can make out what it does and how it does it (sorta) but understanding what the script is asking for is a little more confusing.

I want to be able to only call the file.php directly from lets say
www.mysite.com/downloads/main.html