Solved

Preventing direct execution of php scripts from browser

Posted on 2006-06-13
7
518 Views
Last Modified: 2013-12-12
Hello,

I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.

For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/

I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.

Thank You,

Bitz
0
Comment
Question by:BiTRaTE2600
7 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 16899783
you simply check if the session is started (assuming that the main script does start a session).
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 25 total points
ID: 16899787
You could set the pages to only allow http-POST requests. That would at least prevent people from accessing them by typing urls.

I agree on the fact that .htpasswd files will probably not help you out at this stage.

-r-
0
 
LVL 6

Assisted Solution

by:ThomasFranke
ThomasFranke earned 25 total points
ID: 16900251
How do you call your scripts from within your html pages?

If you do an include() or require() you can protect the directory /fooscripts/ with
.htaccess file since the .htaccess file only checks for the pages a user is requesting
using either post or get but not for files included or required by scripts.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:BiTRaTE2600
ID: 16903346
Thank you for your suggestions.

Response to angelIII:

I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.

Response to Roonaan:

Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.

Response to ThomasFranke:

I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.

Any ideas,

Thank You,

Bitz
0
 
LVL 3

Expert Comment

by:NewJorg
ID: 16903356
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.

Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant

foo.php:
define("INMYPAGE", true);
include("fooscripts/secret.php");

/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
  exit("error occurred");
}
0
 
LVL 3

Accepted Solution

by:
NewJorg earned 250 total points
ID: 16903440
I thought the same like ThomasFranke, I guess it's the name :-)

Ok in the new situation, I would suggest try to filter with referer and maybe user-agent. I don't know what user-agent flash sends. Maybe you can make it more difficult to access the files, but you will have no chance to stop it completly because it will be accessed from clients (over flash) so the informations (referer, user-agent) can be faked.
0
 

Author Comment

by:BiTRaTE2600
ID: 16906234
Thank you NewJorg, I think this will do the trick!!!

Bitz
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These days socially coordinated efforts have turned into a critical requirement for enterprises.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question