Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Preventing direct execution of php scripts from browser

Posted on 2006-06-13
7
Medium Priority
?
530 Views
Last Modified: 2013-12-12
Hello,

I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.

For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/

I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.

Thank You,

Bitz
0
Comment
Question by:BiTRaTE2600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 16899783
you simply check if the session is started (assuming that the main script does start a session).
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 100 total points
ID: 16899787
You could set the pages to only allow http-POST requests. That would at least prevent people from accessing them by typing urls.

I agree on the fact that .htpasswd files will probably not help you out at this stage.

-r-
0
 
LVL 6

Assisted Solution

by:ThomasFranke
ThomasFranke earned 100 total points
ID: 16900251
How do you call your scripts from within your html pages?

If you do an include() or require() you can protect the directory /fooscripts/ with
.htaccess file since the .htaccess file only checks for the pages a user is requesting
using either post or get but not for files included or required by scripts.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:BiTRaTE2600
ID: 16903346
Thank you for your suggestions.

Response to angelIII:

I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.

Response to Roonaan:

Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.

Response to ThomasFranke:

I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.

Any ideas,

Thank You,

Bitz
0
 
LVL 3

Expert Comment

by:NewJorg
ID: 16903356
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.

Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant

foo.php:
define("INMYPAGE", true);
include("fooscripts/secret.php");

/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
  exit("error occurred");
}
0
 
LVL 3

Accepted Solution

by:
NewJorg earned 1000 total points
ID: 16903440
I thought the same like ThomasFranke, I guess it's the name :-)

Ok in the new situation, I would suggest try to filter with referer and maybe user-agent. I don't know what user-agent flash sends. Maybe you can make it more difficult to access the files, but you will have no chance to stop it completly because it will be accessed from clients (over flash) so the informations (referer, user-agent) can be faked.
0
 

Author Comment

by:BiTRaTE2600
ID: 16906234
Thank you NewJorg, I think this will do the trick!!!

Bitz
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question