Preventing remote invocation of a script

Bobulous

Is there a reliable way of preventing someone calling my script from a remote server?

The script is used to generate a part of a bigger page, so the script should never be called directly, only as an include by Apache on my own web host.

Is there a way of marking the file so that only my webserver can see it and execute it? I tried to change the public permissions to zero, but that stopped Apache seeing the file too.

Any ideas how I can make such files invisible to the outside world?

bradgrafelman

What I normally do is go into my PHP scripts, and do this:

define('core_app', TRUE);
include_once 'secretScript.php';

Then, in secretScript.php, put this at the very top:

if(!defined('core_app'))
     die('You do not have permission to execute this script.');

EDIT: An alternative that I recently discovered, thanks to a post by renob here, is to check if the file in question is being queried directly by the browser, like so:

if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) { 
    exit('Access Denied'); 
}

MarkR

If you're using Apache you could place it in a directory denied access via the web, for instance with

Deny From All

In its .htaccess (Be sure to test that this works!).

Another good idea is to make sure nothing bad happens even if the script is invoked directly.

Usually I achieve this by having none of the include files do anything "bad" on its own - most of them only define functions, constants and occasionally globals. A few of them do some checks, but none actually do anything which could cause a "bad" thing to happen, or any user output. So someone executing one directly would not get anything.

Mark

Bobulous

I think I failed to explain myself fully.

To allow non-PHP pages to call a script that generates a random quote, I have created an invocation script that can be included using Apache's server-side include, e.g.

<!--#include virtual="/scripts/my_script.php?query=something" -->

This allows the function of the script to be used on SHTML pages without converting the page to PHP. Apache executes the desired script and embeds the result of it, not the code from it, into the SHTML document. The script need never be accessible to the public.

So I'm afraid that neither of the above suggestions work.

I'm starting to think that it's simply not feasible to use this SSI include option. I may have to bite the bullet and simply convert all of the script-client pages to PHP.

I am surprised, though, that Apache doesn't seem to offer a way of hiding these included scripts from the outside world without making it invisible to Apache and PHP also.

fire_cracker

I don't know a whole lot about SSI; however, coulding you just put the script in a directory that web traffic can't access? Or does it not work that way?

ahundiak

Seems like you could check the values of:
SERVER["REMOTE_ADDR"]
SERVER["REMOTE_HOST"]

Of course a determined hacker could probably spoof these values but it would take a bit of effort.

Bobulous

Thanks for all your advice, but I can't find a secure way of allowing Apache to include a PHP script without it also being accessible to the world at large. If anyone does know how to do this, let me know.

In the meantime, I'm switching to using PHP's include command. This does require silent redirects from .html files to .php files, but I'd rather that than find my scripts open to hotlinking or other abuse.