BiTRaTE2600
asked on
Preventing direct execution of php scripts from browser
Hello,
I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.
For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/
I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.
Thank You,
Bitz
I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.
For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/
I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.
Thank You,
Bitz
you simply check if the session is started (assuming that the main script does start a session).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your suggestions.
Response to angelIII:
I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.
Response to Roonaan:
Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.
Response to ThomasFranke:
I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.
Any ideas,
Thank You,
Bitz
Response to angelIII:
I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.
Response to Roonaan:
Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.
Response to ThomasFranke:
I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.
Any ideas,
Thank You,
Bitz
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.
Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant
foo.php:
define("INMYPAGE", true);
include("fooscripts/secret .php");
/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
exit("error occurred");
}
Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant
foo.php:
define("INMYPAGE", true);
include("fooscripts/secret
/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
exit("error occurred");
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you NewJorg, I think this will do the trick!!!
Bitz
Bitz