Prevent direct access to a php include file

Question

I have a php file which I will be using as exclusively as an include  Therefore I would like to throw an error instead of executing it when it s accessed directly by typing in the URL instead of being included   Basically I need to do a check as follows in the php file   if    REQUEST URL     URL OF CURRENT PAGE   die   Direct access not premitted      Is there an easy way to do this

User · Answer

Earlier mentioned solution with PHP version check added        max includes   version compare PHP VERSION   5     lt      0   1      if  count get included files     lt    max includes                exit  Direct access is not allowed

User · Answer

Actually my advice is to do all of these best practices    Put the documents outside the webroot OR in a directory denied access by the webserver AND Use a define in your visible documents that the hidden documents check for          if   defined INCL FILE FOO               header  HTTP 1 0 403 Forbidden              exit            This way if the files become misplaced somehow  an errant ftp operation  they are still protected

User · Answer

debug backtrace      die   Direct access not permitted

User · Answer

1  Checking the count of included files if  count get included files         version compare PHP VERSION   5 0 0     gt      1 0          exit  Restricted Access       Logic  PHP exits if the minimum include count isn t met  Note that prior to PHP5  the base page is not considered an include   2  Defining and verifying a global constant    In the base page  directly accessed   define   DEFVAR   1       In the include files  where direct access isn t permitted   defined   DEFVAR   or exit  Restricted Access     Logic  If the constant isn t defined  then the execution didn t start from the base page  and PHP would stop executing  Note that for the sake of portability across upgrades and future changes  making this authentication method modular would significantly reduce the coding overhead as the changes won t need to be hard-coded to every single file     Put the code in a separate file instead  say  checkdefined php   defined   DEFVAR   or exit  Restricted Access        Replace the same code in the include files with  require once  checkdefined php     This way additional code can be added to checkdefined php for logging and analytical purposes  as well as for generating appropriate responses  Credit where credit is due  The brilliant idea of portability came from this answer   3  Remote address authorisation    Call the include from the base page directly accessed    includeData   file get contents  quot http   127 0 0 1 component php auth token quot        In the include files  where direct access isn t permitted    src     SERVER  REMOTE ADDR       Get the source address  auth   authoriseIP  src      Authorisation algorithm if    auth   exit  Restricted Access     The drawback with this method is isolated execution  unless a session-token provided with the internal request  Verify via the loop-back address in case of a single server configuration  or an address white-list for a multi-server or load-balanced server infrastructure   4  Token authorisation Similar to the previous method  one can use GET or POST to pass an authorization token to the include file  if  key   quot serv97602 quot   header  quot Location   quot   dart  exit      A very messy method  but also perhaps the most secure and versatile at the same time  when used in the right way   5  Webserver specific configuration Most servers allow you to assign permissions for individual files or directories  You could place all your includes in such restricted directories  and have the server configured to deny them  For example in APACHE  the configuration is stored in the  htaccess file  Tutorial here  Note however that server-specific configurations are not recommended by me because they are bad for portability across different web-servers  In cases like Content Management Systems where the deny-algorithm is complex or the list of denied directories is rather big  it might only make reconfiguration sessions rather gruesome  In the end it s best to handle this in code   6  Placing includes in a secure directory OUTSIDE the site root Least preferred because of access limitations in server environments  but a rather powerful method if you have access to the file-system    Your secure dir path based on server file-system  secure dir dirname   SERVER  DOCUMENT ROOT    DIRECTORY SEPARATOR  quot secure quot  DIRECTORY SEPARATOR  include  secure dir  quot securepage php quot     Logic   The user cannot request any file outside the htdocs folder as the links would be outside the scope of the website s address system  The php server accesses the file-system natively  and hence can access files on a computer just like how a normal program with required privileges can  By placing the include files in this directory  you can ensure that the php server gets to access them  while hotlinking is denied to the user  Even if the webserver s filesystem access configuration wasn t done properly  this method would prevent those files from becoming public accidentally    Please excuse my unorthodox coding conventions  Any feedback is appreciated

User · Answer

I didn t find the suggestions with  htaccess so good because it may block other content in that folder which you might want to allow user to access to  this is my solution    currentFileInfo   pathinfo   FILE      requestInfo   pathinfo   SERVER  REQUEST URI     if  currentFileInfo  basename       requestInfo  basename            direct access to file

User · Answer

The easiest way is to set some variable in the file that calls include  such as   including   true    Then in the file that s being included  check for the variable  if    including  exit  direct access not permitted

User · Answer

What Joomla  does is defining a Constant in a root file and checking if the same is defined in the included files   defined   JEXEC   or die  Restricted access      or else   one can keep all files outside the reach of an http request by placing them outside the webroot directory as most frameworks like CodeIgniter recommend    or even by placing an  htaccess file within the include folder and writing rules  you can prevent direct access

User · Answer

Do something like    lt  php if    SERVER  SCRIPT FILENAME        lt path to php include file gt          header  HTTP 1 0 403 Forbidden        exit  Forbidden        gt

User · Answer

debug backtrace      die   Direct access not permitted

User · Answer

I found this php-only and invariable solution which works both with http and cli     Define a function     function forbidDirectAccess  file         self   getcwd       trim   SERVER  PHP SELF               substr compare  file   self  -strlen  self      0  or die  Restricted access        Call the function in the file you want to prevent direct access to     forbidDirectAccess   FILE       Most of the solutions given above to this question do not work in Cli mode

User · Answer

Actually my advice is to do all of these best practices    Put the documents outside the webroot OR in a directory denied access by the webserver AND Use a define in your visible documents that the hidden documents check for          if   defined INCL FILE FOO               header  HTTP 1 0 403 Forbidden              exit            This way if the files become misplaced somehow  an errant ftp operation  they are still protected

User · Answer

I had this problem once  solved with   if  strpos   SERVER  REQUEST URI    basename   FILE         false        but the ideal solution is to place the file outside of the web-server document root  as mentioned in another anwser

User · Answer

The best way to prevent direct access to files is to place them outside of the web-server document root  usually  one level above   You can still include them  but there is no possibility of someone accessing them through an http request   I usually go all the way  and place all of my PHP files outside of the document root aside from the bootstrap file - a lone index php in the document root that starts routing the entire website application

User · Answer

Add this to the page that you want to only be included   lt  php if  defined  MyConst         die  Direct access not permitted        gt    then on the pages that include it add   lt  php define  MyConst   TRUE     gt

User · Answer

lt  php         url    http         SERVER  SERVER NAME       SERVER  REQUEST URI      if  false     strpos  url   php            die   Direct access not premitted          gt

User · Answer

i suggest that don t use of   SERVER for security reasons   You can use a variable like  root true  in first file that included another one  and use isset  root  in begin of second file that be included

User · Answer

You d better build application with one entrance point  i e  all files should be reached from index php  Place this in index php  define A true     This check should run in each linked file  via require or include   defined  A   or die header  HTTP 1 0 403 Forbidden

User · Answer

I wanted to restrict access to the PHP file directly  but also be able to call it via jQuery   ajax  XMLHttpRequest   Here is what worked for me   if  empty   SERVER  HTTP X REQUESTED WITH     amp  amp    SERVER  HTTP X REQUESTED WITH       XMLHttpRequest         if  realpath   SERVER  SCRIPT FILENAME         FILE         direct access denied         header  Location   403            exit

User · Answer

I have a file that I need to act differently when it s included vs when it s accessed directly  mainly a print   vs return    Here s some modified code   if count get included files      1  exit  Direct access not permitted       The file being accessed is always an included file  hence the    1   nbsp

User · Answer

Storing your include files outside the web accessible directory has been mentioned a few times  and is certainly a good strategy where possible  However  another option I have not yet seen mentioned  ensure that your include files don   t contain any runnable code  If your include files merely define functions and classes  and have no code other than that  they will simply produce a blank page when accessed directly   By all means allow direct access to this file from the browser  it won   t do anything  It defines some functions  but none of them are called  so none of them run    lt  php  function a            function body    function b            function body     The same applies to files which contain only PHP classes  and nothing else     It   s still a good idea to keep your files outside of the web directory where possible    You might accidentally deactivate PHP  in which case your server may send content of the PHP files to the browser  instead of running PHP and sending the result  This could result in your code  including database passwords  API keys  etc   leaking  Files in the web directory are squatting on URLs you may want to use for your app  I work with a CMS which cannot have a page called system  because that would conflict with a path used for code  I find this annoying

User · Answer

Do something like    lt  php if    SERVER  SCRIPT FILENAME        lt path to php include file gt          header  HTTP 1 0 403 Forbidden        exit  Forbidden        gt

User · Answer

If more precisely  you should use this condition   if  array search   FILE    get included files        0        echo  direct access     else       echo  included       get included files   returns indexed array containing names of all included files  if file is beign executed then it was included and its name is in the array   So  when the file is directly accessed  its name is the first in the array  all other files in the array were included

User · Answer

An alternative  or complement  to Chuck s solution would be to deny access to files matching a specific pattern by putting something like this in your  htaccess file   lt FilesMatch     inc    gt      Order deny allow     Deny from all  lt  FilesMatch gt

User · Answer

The easiest way is to set some variable in the file that calls include  such as   including   true    Then in the file that s being included  check for the variable  if    including  exit  direct access not permitted

User · Answer

You d better build application with one entrance point  i e  all files should be reached from index php  Place this in index php  define A true     This check should run in each linked file  via require or include   defined  A   or die header  HTTP 1 0 403 Forbidden

User · Answer

I didn t find the suggestions with  htaccess so good because it may block other content in that folder which you might want to allow user to access to  this is my solution    currentFileInfo   pathinfo   FILE      requestInfo   pathinfo   SERVER  REQUEST URI     if  currentFileInfo  basename       requestInfo  basename            direct access to file

User · Answer

The best way to prevent direct access to files is to place them outside of the web-server document root  usually  one level above   You can still include them  but there is no possibility of someone accessing them through an http request   I usually go all the way  and place all of my PHP files outside of the document root aside from the bootstrap file - a lone index php in the document root that starts routing the entire website application

User · Answer

Do something like    lt  php if    SERVER  SCRIPT FILENAME        lt path to php include file gt          header  HTTP 1 0 403 Forbidden        exit  Forbidden        gt

User · Answer

I have a file that I need to act differently when it s included vs when it s accessed directly  mainly a print   vs return    Here s some modified code   if count get included files      1  exit  Direct access not permitted       The file being accessed is always an included file  hence the    1   nbsp

User · Answer

The following code is used in the Flatnux CMS  http   flatnux altervista org    if   strpos strtolower   SERVER  SCRIPT NAME    strtolower basename   FILE              header  Location        index php        die

User · Answer

i suggest that don t use of   SERVER for security reasons   You can use a variable like  root true  in first file that included another one  and use isset  root  in begin of second file that be included

User · Answer

Besides the  htaccess way  I have seen a useful pattern in various frameworks  for example in ruby on rails  They have a separate pub  directory in the application root directory and the library directories are living in directories at the same level as pub   Something like this  not ideal  but you get the idea    app       --pub       --lib       --conf       --models       --views       --controllers    You set up your web server to use pub  as document root  This offers better protection to your scripts  while they can reach out from the document root to load necessary components it is impossible to access the components from the internet  Another benefit besides security is that everything is in one place   This setup is better than just creating checks in every single included file because  access not permitted  message is a clue to attackers  and it is better than  htaccess configuration because it is not white-list based  if you screw up the file extensions it will not be visible in the lib   conf  etc  directories

User · Answer

lt  php if  eregi  YOUR INCLUDED PHP FILE NAME     SERVER  PHP SELF         die   lt h4 gt You don t have right permission to access this file directly  lt  h4 gt         gt    place the code above in the top of your included php file   ex    lt  php if  eregi  some functions php     SERVER  PHP SELF           die   lt h4 gt You don t have right permission to access this file directly  lt  h4 gt               do something   gt

User · Answer

I had this problem once  solved with   if  strpos   SERVER  REQUEST URI    basename   FILE         false        but the ideal solution is to place the file outside of the web-server document root  as mentioned in another anwser

User · Answer

The easiest way for the generic  PHP app running on an Apache server that you may or may not fully control  situation is to put your includes in a directory and deny access to that directory in your  htaccess file  To save people the trouble of Googling  if you re using Apache  put this in a file called   htaccess  in the directory you don t want to be accessible   Deny from all   If you actually have full control of the server  more common these days even for little apps than when I first wrote this answer   the best approach is to stick the files you want to protect outside of the directory that your web server is serving from  So if your app is in  srv YourApp   set the server to serve files from  srv YourApp app  and put the includes in  srv YourApp includes  so there literally isn t any URL that can access them

User · Answer

If more precisely  you should use this condition   if  array search   FILE    get included files        0        echo  direct access     else       echo  included       get included files   returns indexed array containing names of all included files  if file is beign executed then it was included and its name is in the array   So  when the file is directly accessed  its name is the first in the array  all other files in the array were included

User · Answer

The following code is used in the Flatnux CMS  http   flatnux altervista org    if   strpos strtolower   SERVER  SCRIPT NAME    strtolower basename   FILE              header  Location        index php        die

User · Answer

The easiest way for the generic  PHP app running on an Apache server that you may or may not fully control  situation is to put your includes in a directory and deny access to that directory in your  htaccess file  To save people the trouble of Googling  if you re using Apache  put this in a file called   htaccess  in the directory you don t want to be accessible   Deny from all   If you actually have full control of the server  more common these days even for little apps than when I first wrote this answer   the best approach is to stick the files you want to protect outside of the directory that your web server is serving from  So if your app is in  srv YourApp   set the server to serve files from  srv YourApp app  and put the includes in  srv YourApp includes  so there literally isn t any URL that can access them

User · Answer

What you can also do is password protect the directory and keep all your php scripts in there  ofcourse except the index php file  as at the time of include password won t be required as it will be required only for http access  what it will do is also provide you the option to access your scripts in case you want it as you will have password to access that directory  you will need to setup  htaccess file for the directory and a  htpasswd file to authenticate the user   well  you can also use any of the solutions provided above in case you feel you don t need to access those files normally because you can always access them through cPanel etc   Hope this helps

User · Answer

The easiest way is to set some variable in the file that calls include  such as   including   true    Then in the file that s being included  check for the variable  if    including  exit  direct access not permitted

User · Answer

if  basename   SERVER  PHP SELF       basename   FILE       die  Access denied

User · Answer

Add this to the page that you want to only be included   lt  php if  defined  MyConst         die  Direct access not permitted        gt    then on the pages that include it add   lt  php define  MyConst   TRUE     gt

User · Answer

You can use the following method below although  it does have a flaw  because it can be faked  except if you can add another line of code to make sure the request comes only from your server either by using Javascript  You can place this code in the Body section of your HTML code  so the error shows there    lt   if  isset   SERVER  HTTP REQUEST       include   error file php      else     gt    Place your other HTML code here   lt       gt    End it like this  so the output of the error will always show within the body section  if that s how you want it to be

User · Answer

Do something like    lt  php if    SERVER  SCRIPT FILENAME        lt path to php include file gt          header  HTTP 1 0 403 Forbidden        exit  Forbidden        gt

User · Answer

You can also try renaming the document you don t want people to be able to access  You could rename it to 47d8498d3w php for instance  Just make something up that people most likely won t type as a http-request  If you include the file with SSI or PHP  the user won t be able to see the name of the document anyway

User · Answer

if     defined  BASEPATH    exit  No direct script access allowed      will do the job smooth

User · Answer

The easiest way is to store your includes outside of the web directory  That way the server has access to them but no outside machine  The only down side is you need to be able to access this part of your server  The upside is it requires no set up  configuration  or additional code server stress

User · Answer

Besides the  htaccess way  I have seen a useful pattern in various frameworks  for example in ruby on rails  They have a separate pub  directory in the application root directory and the library directories are living in directories at the same level as pub   Something like this  not ideal  but you get the idea    app       --pub       --lib       --conf       --models       --views       --controllers    You set up your web server to use pub  as document root  This offers better protection to your scripts  while they can reach out from the document root to load necessary components it is impossible to access the components from the internet  Another benefit besides security is that everything is in one place   This setup is better than just creating checks in every single included file because  access not permitted  message is a clue to attackers  and it is better than  htaccess configuration because it is not white-list based  if you screw up the file extensions it will not be visible in the lib   conf  etc  directories

User · Answer

Actually my advice is to do all of these best practices    Put the documents outside the webroot OR in a directory denied access by the webserver AND Use a define in your visible documents that the hidden documents check for          if   defined INCL FILE FOO               header  HTTP 1 0 403 Forbidden              exit            This way if the files become misplaced somehow  an errant ftp operation  they are still protected

User · Answer

My answer is somewhat different in approach but includes many of the answers provided here  I would recommend a multipronged approach     htaccess and Apache restrictions for sure defined   SOMECONSTANT   or die  Hackers  Be gone       HOWEVER the defined or die approach has a number of failings  Firstly  it is a real pain in the assumptions to test and debug with  Secondly  it involves horrifyingly  mind-numbingly boring refactoring if you change your mind   Find and replace   you say  Yes  but how sure are you that it is written exactly the same everywhere  hmmm  Now multiply that with thousands of files    o O  And then there s  htaccess  What happens if your code is distributed onto sites where the administrator is not so scrupulous  If you rely only on  htaccess to secure your files you re also going to need a  a backup  b  a box of tissues to dry your tears  c  a fire extinguisher to put out the flames in all the hatemail from people using your code   So I know the question asks for the  easiest   but I think what this calls for is more  defensive coding    What I suggest is    Before any of your scripts require  ifyoulieyougonnadie php     not include   and as a replacement for defined or die  In ifyoulieyougonnadie php  do some logic stuff - check for different constants  calling script  localhost testing and such - and then implement your die    throw new Exception  403  etc   I am creating my own framework with two possible entry points - the main index php  Joomla framework  and ajaxrouter php  my framework  - so depending on the point of entry  I check for different things  If the request to ifyoulieyougonnadie php doesn t come from one of those two files  I know shenanigans are being undertaken    But what if I add a new entry point  No worries  I just change ifyoulieyougonnadie php and I m sorted  plus no  find and replace   Hooray   What if I decided to move some of my scripts to do a different framework that doesn t have the same constants defined        Hooray        I found this strategy makes development a lot more fun and a lot less          Hmmm    why is my netbeans debugger only showing a blank white page     for this script  that is being tested outside the framework      Later    I just don t understand why my code is not working       Much later    There are no error messages or anything      Why is it not working       I HATE PHP           Scroll back to the top of my 100s of lines of code       U U       Sorry PHP  I didn t mean what I said  I was just upset           defined   JEXEC   or die      class perfectlyWorkingCode      perfectlyWorkingCode  nowDoingStuffBecauseIRememberedToCommentOutTheDie

User · Answer

Redirect from that file to some other page   like index html    htaccess   Redirect 301 LINK TO YOUR PHP LINK TO INDEX HTML

User · Answer

I found this php-only and invariable solution which works both with http and cli     Define a function     function forbidDirectAccess  file         self   getcwd       trim   SERVER  PHP SELF               substr compare  file   self  -strlen  self      0  or die  Restricted access        Call the function in the file you want to prevent direct access to     forbidDirectAccess   FILE       Most of the solutions given above to this question do not work in Cli mode

User · Answer

My answer is somewhat different in approach but includes many of the answers provided here  I would recommend a multipronged approach     htaccess and Apache restrictions for sure defined   SOMECONSTANT   or die  Hackers  Be gone       HOWEVER the defined or die approach has a number of failings  Firstly  it is a real pain in the assumptions to test and debug with  Secondly  it involves horrifyingly  mind-numbingly boring refactoring if you change your mind   Find and replace   you say  Yes  but how sure are you that it is written exactly the same everywhere  hmmm  Now multiply that with thousands of files    o O  And then there s  htaccess  What happens if your code is distributed onto sites where the administrator is not so scrupulous  If you rely only on  htaccess to secure your files you re also going to need a  a backup  b  a box of tissues to dry your tears  c  a fire extinguisher to put out the flames in all the hatemail from people using your code   So I know the question asks for the  easiest   but I think what this calls for is more  defensive coding    What I suggest is    Before any of your scripts require  ifyoulieyougonnadie php     not include   and as a replacement for defined or die  In ifyoulieyougonnadie php  do some logic stuff - check for different constants  calling script  localhost testing and such - and then implement your die    throw new Exception  403  etc   I am creating my own framework with two possible entry points - the main index php  Joomla framework  and ajaxrouter php  my framework  - so depending on the point of entry  I check for different things  If the request to ifyoulieyougonnadie php doesn t come from one of those two files  I know shenanigans are being undertaken    But what if I add a new entry point  No worries  I just change ifyoulieyougonnadie php and I m sorted  plus no  find and replace   Hooray   What if I decided to move some of my scripts to do a different framework that doesn t have the same constants defined        Hooray        I found this strategy makes development a lot more fun and a lot less          Hmmm    why is my netbeans debugger only showing a blank white page     for this script  that is being tested outside the framework      Later    I just don t understand why my code is not working       Much later    There are no error messages or anything      Why is it not working       I HATE PHP           Scroll back to the top of my 100s of lines of code       U U       Sorry PHP  I didn t mean what I said  I was just upset           defined   JEXEC   or die      class perfectlyWorkingCode      perfectlyWorkingCode  nowDoingStuffBecauseIRememberedToCommentOutTheDie

User · Answer

Besides the  htaccess way  I have seen a useful pattern in various frameworks  for example in ruby on rails  They have a separate pub  directory in the application root directory and the library directories are living in directories at the same level as pub   Something like this  not ideal  but you get the idea    app       --pub       --lib       --conf       --models       --views       --controllers    You set up your web server to use pub  as document root  This offers better protection to your scripts  while they can reach out from the document root to load necessary components it is impossible to access the components from the internet  Another benefit besides security is that everything is in one place   This setup is better than just creating checks in every single included file because  access not permitted  message is a clue to attackers  and it is better than  htaccess configuration because it is not white-list based  if you screw up the file extensions it will not be visible in the lib   conf  etc  directories

User · Answer

I have a file that I need to act differently when it s included vs when it s accessed directly  mainly a print   vs return    Here s some modified code   if count get included files      1  exit  Direct access not permitted       The file being accessed is always an included file  hence the    1   nbsp

User · Answer

Storing your include files outside the web accessible directory has been mentioned a few times  and is certainly a good strategy where possible  However  another option I have not yet seen mentioned  ensure that your include files don   t contain any runnable code  If your include files merely define functions and classes  and have no code other than that  they will simply produce a blank page when accessed directly   By all means allow direct access to this file from the browser  it won   t do anything  It defines some functions  but none of them are called  so none of them run    lt  php  function a            function body    function b            function body     The same applies to files which contain only PHP classes  and nothing else     It   s still a good idea to keep your files outside of the web directory where possible    You might accidentally deactivate PHP  in which case your server may send content of the PHP files to the browser  instead of running PHP and sending the result  This could result in your code  including database passwords  API keys  etc   leaking  Files in the web directory are squatting on URLs you may want to use for your app  I work with a CMS which cannot have a page called system  because that would conflict with a path used for code  I find this annoying

User · Answer

Actually my advice is to do all of these best practices    Put the documents outside the webroot OR in a directory denied access by the webserver AND Use a define in your visible documents that the hidden documents check for          if   defined INCL FILE FOO               header  HTTP 1 0 403 Forbidden              exit            This way if the files become misplaced somehow  an errant ftp operation  they are still protected

User · Answer

lt  php if  eregi  YOUR INCLUDED PHP FILE NAME     SERVER  PHP SELF         die   lt h4 gt You don t have right permission to access this file directly  lt  h4 gt         gt    place the code above in the top of your included php file   ex    lt  php if  eregi  some functions php     SERVER  PHP SELF           die   lt h4 gt You don t have right permission to access this file directly  lt  h4 gt               do something   gt

User · Answer

An alternative  or complement  to Chuck s solution would be to deny access to files matching a specific pattern by putting something like this in your  htaccess file   lt FilesMatch     inc    gt      Order deny allow     Deny from all  lt  FilesMatch gt

User · Answer

if  basename   SERVER  PHP SELF       basename   FILE       die  Access denied

User · Answer

if     defined  BASEPATH    exit  No direct script access allowed      will do the job smooth

User · Answer

An alternative  or complement  to Chuck s solution would be to deny access to files matching a specific pattern by putting something like this in your  htaccess file   lt FilesMatch     inc    gt      Order deny allow     Deny from all  lt  FilesMatch gt

User · Answer

Add this to the page that you want to only be included   lt  php if  defined  MyConst         die  Direct access not permitted        gt    then on the pages that include it add   lt  php define  MyConst   TRUE     gt

User · Answer

You can use phpMyAdmin Style            block attempts to directly run this script     if  getcwd      dirname   FILE           die  Attack stopped

User · Answer

You can use phpMyAdmin Style            block attempts to directly run this script     if  getcwd      dirname   FILE           die  Attack stopped

User · Answer

lt  php         url    http         SERVER  SERVER NAME       SERVER  REQUEST URI      if  false     strpos  url   php            die   Direct access not premitted          gt

User · Answer

I have a file that I need to act differently when it s included vs when it s accessed directly  mainly a print   vs return    Here s some modified code   if count get included files      1  exit  Direct access not permitted       The file being accessed is always an included file  hence the    1   nbsp

User · Answer

You can use the following method below although  it does have a flaw  because it can be faked  except if you can add another line of code to make sure the request comes only from your server either by using Javascript  You can place this code in the Body section of your HTML code  so the error shows there    lt   if  isset   SERVER  HTTP REQUEST       include   error file php      else     gt    Place your other HTML code here   lt       gt    End it like this  so the output of the error will always show within the body section  if that s how you want it to be

User · Answer

Earlier mentioned solution with PHP version check added        max includes   version compare PHP VERSION   5     lt      0   1      if  count get included files     lt    max includes                exit  Direct access is not allowed

User · Answer

1  Checking the count of included files if  count get included files         version compare PHP VERSION   5 0 0     gt      1 0          exit  Restricted Access       Logic  PHP exits if the minimum include count isn t met  Note that prior to PHP5  the base page is not considered an include   2  Defining and verifying a global constant    In the base page  directly accessed   define   DEFVAR   1       In the include files  where direct access isn t permitted   defined   DEFVAR   or exit  Restricted Access     Logic  If the constant isn t defined  then the execution didn t start from the base page  and PHP would stop executing  Note that for the sake of portability across upgrades and future changes  making this authentication method modular would significantly reduce the coding overhead as the changes won t need to be hard-coded to every single file     Put the code in a separate file instead  say  checkdefined php   defined   DEFVAR   or exit  Restricted Access        Replace the same code in the include files with  require once  checkdefined php     This way additional code can be added to checkdefined php for logging and analytical purposes  as well as for generating appropriate responses  Credit where credit is due  The brilliant idea of portability came from this answer   3  Remote address authorisation    Call the include from the base page directly accessed    includeData   file get contents  quot http   127 0 0 1 component php auth token quot        In the include files  where direct access isn t permitted    src     SERVER  REMOTE ADDR       Get the source address  auth   authoriseIP  src      Authorisation algorithm if    auth   exit  Restricted Access     The drawback with this method is isolated execution  unless a session-token provided with the internal request  Verify via the loop-back address in case of a single server configuration  or an address white-list for a multi-server or load-balanced server infrastructure   4  Token authorisation Similar to the previous method  one can use GET or POST to pass an authorization token to the include file  if  key   quot serv97602 quot   header  quot Location   quot   dart  exit      A very messy method  but also perhaps the most secure and versatile at the same time  when used in the right way   5  Webserver specific configuration Most servers allow you to assign permissions for individual files or directories  You could place all your includes in such restricted directories  and have the server configured to deny them  For example in APACHE  the configuration is stored in the  htaccess file  Tutorial here  Note however that server-specific configurations are not recommended by me because they are bad for portability across different web-servers  In cases like Content Management Systems where the deny-algorithm is complex or the list of denied directories is rather big  it might only make reconfiguration sessions rather gruesome  In the end it s best to handle this in code   6  Placing includes in a secure directory OUTSIDE the site root Least preferred because of access limitations in server environments  but a rather powerful method if you have access to the file-system    Your secure dir path based on server file-system  secure dir dirname   SERVER  DOCUMENT ROOT    DIRECTORY SEPARATOR  quot secure quot  DIRECTORY SEPARATOR  include  secure dir  quot securepage php quot     Logic   The user cannot request any file outside the htdocs folder as the links would be outside the scope of the website s address system  The php server accesses the file-system natively  and hence can access files on a computer just like how a normal program with required privileges can  By placing the include files in this directory  you can ensure that the php server gets to access them  while hotlinking is denied to the user  Even if the webserver s filesystem access configuration wasn t done properly  this method would prevent those files from becoming public accidentally    Please excuse my unorthodox coding conventions  Any feedback is appreciated

User · Answer

What Joomla  does is defining a Constant in a root file and checking if the same is defined in the included files   defined   JEXEC   or die  Restricted access      or else   one can keep all files outside the reach of an http request by placing them outside the webroot directory as most frameworks like CodeIgniter recommend    or even by placing an  htaccess file within the include folder and writing rules  you can prevent direct access

User · Answer

Redirect from that file to some other page   like index html    htaccess   Redirect 301 LINK TO YOUR PHP LINK TO INDEX HTML

User · Answer

The easiest way is to set some variable in the file that calls include  such as   including   true    Then in the file that s being included  check for the variable  if    including  exit  direct access not permitted

User · Answer

The easiest way for the generic  PHP app running on an Apache server that you may or may not fully control  situation is to put your includes in a directory and deny access to that directory in your  htaccess file  To save people the trouble of Googling  if you re using Apache  put this in a file called   htaccess  in the directory you don t want to be accessible   Deny from all   If you actually have full control of the server  more common these days even for little apps than when I first wrote this answer   the best approach is to stick the files you want to protect outside of the directory that your web server is serving from  So if your app is in  srv YourApp   set the server to serve files from  srv YourApp app  and put the includes in  srv YourApp includes  so there literally isn t any URL that can access them

User · Answer

The best way to prevent direct access to files is to place them outside of the web-server document root  usually  one level above   You can still include them  but there is no possibility of someone accessing them through an http request   I usually go all the way  and place all of my PHP files outside of the document root aside from the bootstrap file - a lone index php in the document root that starts routing the entire website application

User · Answer

Add this to the page that you want to only be included   lt  php if  defined  MyConst         die  Direct access not permitted        gt    then on the pages that include it add   lt  php define  MyConst   TRUE     gt

User · Answer

What you can also do is password protect the directory and keep all your php scripts in there  ofcourse except the index php file  as at the time of include password won t be required as it will be required only for http access  what it will do is also provide you the option to access your scripts in case you want it as you will have password to access that directory  you will need to setup  htaccess file for the directory and a  htpasswd file to authenticate the user   well  you can also use any of the solutions provided above in case you feel you don t need to access those files normally because you can always access them through cPanel etc   Hope this helps

User · Answer

The easiest way for the generic  PHP app running on an Apache server that you may or may not fully control  situation is to put your includes in a directory and deny access to that directory in your  htaccess file  To save people the trouble of Googling  if you re using Apache  put this in a file called   htaccess  in the directory you don t want to be accessible   Deny from all   If you actually have full control of the server  more common these days even for little apps than when I first wrote this answer   the best approach is to stick the files you want to protect outside of the directory that your web server is serving from  So if your app is in  srv YourApp   set the server to serve files from  srv YourApp app  and put the includes in  srv YourApp includes  so there literally isn t any URL that can access them

User · Answer

I wanted to restrict access to the PHP file directly  but also be able to call it via jQuery   ajax  XMLHttpRequest   Here is what worked for me   if  empty   SERVER  HTTP X REQUESTED WITH     amp  amp    SERVER  HTTP X REQUESTED WITH       XMLHttpRequest         if  realpath   SERVER  SCRIPT FILENAME         FILE         direct access denied         header  Location   403            exit

User · Answer

An alternative  or complement  to Chuck s solution would be to deny access to files matching a specific pattern by putting something like this in your  htaccess file   lt FilesMatch     inc    gt      Order deny allow     Deny from all  lt  FilesMatch gt

User · Answer

The easiest way is to store your includes outside of the web directory  That way the server has access to them but no outside machine  The only down side is you need to be able to access this part of your server  The upside is it requires no set up  configuration  or additional code server stress

User · Answer

Besides the  htaccess way  I have seen a useful pattern in various frameworks  for example in ruby on rails  They have a separate pub  directory in the application root directory and the library directories are living in directories at the same level as pub   Something like this  not ideal  but you get the idea    app       --pub       --lib       --conf       --models       --views       --controllers    You set up your web server to use pub  as document root  This offers better protection to your scripts  while they can reach out from the document root to load necessary components it is impossible to access the components from the internet  Another benefit besides security is that everything is in one place   This setup is better than just creating checks in every single included file because  access not permitted  message is a clue to attackers  and it is better than  htaccess configuration because it is not white-list based  if you screw up the file extensions it will not be visible in the lib   conf  etc  directories

User · Answer

You can also try renaming the document you don t want people to be able to access  You could rename it to 47d8498d3w php for instance  Just make something up that people most likely won t type as a http-request  If you include the file with SSI or PHP  the user won t be able to see the name of the document anyway

User · Answer

The best way to prevent direct access to files is to place them outside of the web-server document root  usually  one level above   You can still include them  but there is no possibility of someone accessing them through an http request   I usually go all the way  and place all of my PHP files outside of the document root aside from the bootstrap file - a lone index php in the document root that starts routing the entire website application

[php] Prevent direct access to a php include file

Examples related to php

Examples related to include

Examples related to include-guards