Solved

Preventing direct execution of php scripts from browser

Posted on 2006-06-13
7
515 Views
Last Modified: 2013-12-12
Hello,

I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.

For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/

I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.

Thank You,

Bitz
0
Comment
Question by:BiTRaTE2600
7 Comments
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 16899783
you simply check if the session is started (assuming that the main script does start a session).
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 25 total points
ID: 16899787
You could set the pages to only allow http-POST requests. That would at least prevent people from accessing them by typing urls.

I agree on the fact that .htpasswd files will probably not help you out at this stage.

-r-
0
 
LVL 6

Assisted Solution

by:ThomasFranke
ThomasFranke earned 25 total points
ID: 16900251
How do you call your scripts from within your html pages?

If you do an include() or require() you can protect the directory /fooscripts/ with
.htaccess file since the .htaccess file only checks for the pages a user is requesting
using either post or get but not for files included or required by scripts.
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 

Author Comment

by:BiTRaTE2600
ID: 16903346
Thank you for your suggestions.

Response to angelIII:

I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.

Response to Roonaan:

Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.

Response to ThomasFranke:

I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.

Any ideas,

Thank You,

Bitz
0
 
LVL 3

Expert Comment

by:NewJorg
ID: 16903356
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.

Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant

foo.php:
define("INMYPAGE", true);
include("fooscripts/secret.php");

/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
  exit("error occurred");
}
0
 
LVL 3

Accepted Solution

by:
NewJorg earned 250 total points
ID: 16903440
I thought the same like ThomasFranke, I guess it's the name :-)

Ok in the new situation, I would suggest try to filter with referer and maybe user-agent. I don't know what user-agent flash sends. Maybe you can make it more difficult to access the files, but you will have no chance to stop it completly because it will be accessed from clients (over flash) so the informations (referer, user-agent) can be faked.
0
 

Author Comment

by:BiTRaTE2600
ID: 16906234
Thank you NewJorg, I think this will do the trick!!!

Bitz
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to count in a table in php 22 33
Making API calls from hashed passwords 26 52
PHP populating an array. 4 23
How to stop user from going back to a previous page in PHP 3 30
This article discusses how to create an extensible mechanism for linked drop downs.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question