Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Preventing direct execution of php scripts from browser

Posted on 2006-06-13
7
Medium Priority
?
531 Views
Last Modified: 2013-12-12
Hello,

I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.

For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/

I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.

Thank You,

Bitz
0
Comment
Question by:BiTRaTE2600
7 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 16899783
you simply check if the session is started (assuming that the main script does start a session).
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 100 total points
ID: 16899787
You could set the pages to only allow http-POST requests. That would at least prevent people from accessing them by typing urls.

I agree on the fact that .htpasswd files will probably not help you out at this stage.

-r-
0
 
LVL 6

Assisted Solution

by:ThomasFranke
ThomasFranke earned 100 total points
ID: 16900251
How do you call your scripts from within your html pages?

If you do an include() or require() you can protect the directory /fooscripts/ with
.htaccess file since the .htaccess file only checks for the pages a user is requesting
using either post or get but not for files included or required by scripts.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:BiTRaTE2600
ID: 16903346
Thank you for your suggestions.

Response to angelIII:

I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.

Response to Roonaan:

Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.

Response to ThomasFranke:

I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.

Any ideas,

Thank You,

Bitz
0
 
LVL 3

Expert Comment

by:NewJorg
ID: 16903356
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.

Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant

foo.php:
define("INMYPAGE", true);
include("fooscripts/secret.php");

/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
  exit("error occurred");
}
0
 
LVL 3

Accepted Solution

by:
NewJorg earned 1000 total points
ID: 16903440
I thought the same like ThomasFranke, I guess it's the name :-)

Ok in the new situation, I would suggest try to filter with referer and maybe user-agent. I don't know what user-agent flash sends. Maybe you can make it more difficult to access the files, but you will have no chance to stop it completly because it will be accessed from clients (over flash) so the informations (referer, user-agent) can be faked.
0
 

Author Comment

by:BiTRaTE2600
ID: 16906234
Thank you NewJorg, I think this will do the trick!!!

Bitz
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This article discusses how to implement server side field validation and display customized error messages to the client.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question