[RESOLVED] Make sure include file not opened w/o being included?

Pikachu2000

Is there a way to make sure a file intended only for inclusion within another script is not opened without being included?

For example, if I use "index.php?page_id=page_name.php" in the URL, is there a way to prevent "page_name.php" from being accessed without being called from the include() function within index.php?

knowj

I would seriously advise you don't do the above as it opens your system up to a whole host of hacks.

But simply put your files in directories and have a .htaccess file within the directory you don't want to be accessed:

.htaccess

DENY FROM ALL

or you could do the following:

index.php

<?php
define('SELF', 1);
?>

all other files

<?php
if (SELF!='1'){die('ACCESS DENIED');}
?>

I personally use the first method. But similar methods to the 2nd one are also used alot.

paulnaj

One way you could do it is to put everything that is in the include file inside functions, and only call the functions outside of the include file.

That way, if someone does navigate to the page, nothing will be outputted to the browser.

Might not suit your requirements, though.

halojoy

$_SERVER['PHP_SELF'] tells what is the main page
Even in one included page will tell same PHP_SELF,
as the main script page which did the include.

There are many ways to test if an included page was really included
or called directly, and so make an exit() to stop in such case.

Using value of $_SERVER['PHP_SELF'] is one such test.

<?php

echo $_SERVER['PHP_SELF']; // the main script page
echo '<br>';
echo __FILE__; // this file's path
echo '<br>';
echo basename(__FILE__); // this file's name
echo '<br>';
echo '<br>';

// test if this file's name is a part of PHP_SELF
// which means this file was NOT included, but called directly
// if so, exit() to end script
if(stripos($_SERVER['PHP_SELF'], basename(__FILE__))!==FALSE) exit('stop!');

?>

This is how you can use it.
Put as first line in all your include files, to protect them:

<?php
// test for hackers and stop with exit()
if(stripos($_SERVER['PHP_SELF'], basename(__FILE__)) !== FALSE) exit('stop!');

// rest of code
// more here

?>

Pikachu2000

knowj;10944702 wrote:
I would seriously advise you don't do the above as it opens your system up to a whole host of hacks.

But simply put your files in directories and have a .htaccess file within the directory you don't want to be accessed:

.htaccess
DENY FROM ALL
or you could do the following:

index.php
<?php
define('SELF', 1);
?>
all other files
<?php
if (SELF!='1'){die('ACCESS DENIED');}
?>
I personally use the first method. But similar methods to the 2nd one are also used alot.

As far as the GET request, I have that filtered with basename(trim()) and checked to make sure the file exists in the htdocs directory, and that it doesn't include a directory change like ../ or ./ or .. , and is at least 6 characters, else it triggers a 404 error. Can you think of anything I haven't taken into consideration?

I'll give the define(SELF, 1) a try and see how that works out.

laserlight

Pikachu2000 wrote:
For example, if I use "index.php?page_id=page_name.php" in the URL

You might want to read this essay that asserts that Cool URIs don't change. Although it was written by the inventor of the World Wide Web, you do not have to follow its advice, but it certainly presents some things to consider as you think about what you are trying to do.

Aside from this, I will just highlight two of the suggestions presented so far:

Keep your include files outside of your publicly accessible webspace by placing them in a directory that the web server is configured not to serve to the public.
If you do want to allow the client to influence which file will be included, use something like [man]basename/man in conjunction with say, [man]file_exists/man to ensure that only the files in the desired directory are actually included. Alternatively, only include a file if it matches a whitelist of filenames.

Pikachu2000

halojoy;10944706 wrote:
$_SERVER['PHP_SELF'] tells what is the main page
Even in one included page will tell same PHP_SELF,
as the main script page which did the include.

There are many ways to test if an included page was really included
or called directly, and so make an exit() to stop in such case.

Using value of $_SERVER['PHP_SELF'] is one such test.
<?php

echo $_SERVER['PHP_SELF']; // the main script page
echo '<br>';
echo __FILE__; // this file's path
echo '<br>';
echo basename(__FILE__); // this file's name
echo '<br>';
echo '<br>';

// test if this file's name is a part of PHP_SELF
// which means this file was NOT included, but called directly
// if so, exit() to end script
if(stripos($_SERVER['PHP_SELF'], basename(__FILE__))!==FALSE) exit('stop!');

?>
This is how you can use it.
Put as first line in all your include files, to protect them:
<?php
// test for hackers and stop with exit()
if(stripos($_SERVER['PHP_SELF'], basename(__FILE__)) !== FALSE) exit('stop!');

// rest of code
// more here

?>

Thank you, I'll give that a try also.

Pikachu2000

laserlight;10944709 wrote:
You might want to read this essay that asserts that Cool URIs don't change.Although it was written by the inventor of the World Wide Web, you do not have to follow its advice, but it certainly presents some things to consider as you think about what you are trying to do.

Al Gore wrote that?!? 🙂

Aside from this, I will just highlight two of the suggestions presented so far:

Keep your include files outside of your publicly accessible webspace by placing them in a directory that the web server is configured not to serve to the public.

If you do want to allow the client to influence which file will be included, use something like [man]basename/man in conjunction with say, [man]file_exists/man to ensure that only the files in the desired directory are actually included. Alternatively, only include a file if it matches a whitelist of filenames.

I use file_exists(basename(trim())) and verify there are no directory change operators involved. Otherwise, a 404 is triggered. I'd prefer to allow the files to be indexed by legitimate bots; is there a way I can do that if they are in an includes/ directory? With a .htaccess file perhaps?