direct access to files prohibit

bumbar

Hallo!

I have a site which using directory structure:

index.php
header.php
body.php
someinfo.php
moreinfo.php
footer.php

This files building my site www.mysite.com
I have a links in index.php which looks like this:

http://www.mysite.com/index.php?option=someinfo
http://www.mysite.com/index.php?option=moreinfo

index.php contents:

<?php

include ("header.php");

if (isset($GET['option'])) {
$inc = $GET['option'];
$inc_file = "$inc.php";
if (file_exists("$inc_file")) {
include ("$inc_file");
}
}

if (file_exist("other.php")) {
include ("other.php");
}

include ("footer.php");

How I can prohibit direct access to someinfo.php and moreinfo.php

http://www.mysite.com/someinfo.php
http://www.mysite.com/moreinfo.php

and ... how I can redirect users to index.php if they try access http://www.mysite.com/someinfo.php

Thanks!

cahva

First I have to say that you are in dangerous waters when trusting that $_GET['option'] too much. If you include files that trust input from url(or any other user input), do some parsing before including those. If I were a hacker it wouldnt take much to run my own code through your site.

Ok, that aside.. The easiest way to restrict direct access would be to use define in index.php:

index.php

define('PAGE_INITIALIZE',1);

in other pages:

if (!defined('PAGE_INITIALIZE')) {
    header('Location: http://www.mysite.com/');
}

Now when people use direct access to some page, the constant is not defined so it will redirect them to first page. But when included from index.php the constant is defined so it will work from there.

bradgrafelman

I'll definitely echo cahva's warning about just taking a parameter supplied by the user and include'ing it. What you might consider is doing:

$allowed = array('someinfo', 'moreinfo');

if (isset($_GET['option']) && in_array($_GET['option'], $allowed) && file_exists($_GET['option'] . '.php'))
    include ($_GET['option'] . '.php');

That way, only files that you specify in the "allowed" array can be executed.

EDIT: Also, I just combined all of your if() conditions into one... if you'd rather split it up for readability's sake, you can still do that obviously.