Solved

Preventing direct execution of php scripts from browser

Posted on 2006-06-13
7
526 Views
Last Modified: 2013-12-12
Hello,

I am developing a php site (ISP running Apache, PHP 5), and have a security related question. I call upon various "utility" php scripts from within html pages to carry out certain functions. While it is necessary for a given html page to invoke a given php script, I do not want a user to be able to execute the scripts that are being called directly, by typing in the url for the script.

For example, if my php scripts were installed in a directory called /fooscripts/ from the web root, I would like to prevent users from accessing the scripts via the browser by typing http://mysite.com/fooscripts/somescript.php. However, if I have /foo.html from the webroot, I would like it to be able to invoke anything within /fooscripts/

I do not believe I can use .htaccess files as this would limit the scripts from being called from within my html pages. Any recommendations would be greatly appreciated.

Thank You,

Bitz
0
Comment
Question by:BiTRaTE2600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 16899783
you simply check if the session is started (assuming that the main script does start a session).
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 25 total points
ID: 16899787
You could set the pages to only allow http-POST requests. That would at least prevent people from accessing them by typing urls.

I agree on the fact that .htpasswd files will probably not help you out at this stage.

-r-
0
 
LVL 6

Assisted Solution

by:ThomasFranke
ThomasFranke earned 25 total points
ID: 16900251
How do you call your scripts from within your html pages?

If you do an include() or require() you can protect the directory /fooscripts/ with
.htaccess file since the .htaccess file only checks for the pages a user is requesting
using either post or get but not for files included or required by scripts.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:BiTRaTE2600
ID: 16903346
Thank you for your suggestions.

Response to angelIII:

I do not believe I can use sessions in this case. If a session is started with the main script say main.php residing at the web root, what is to prevent a user from going to /fooscripts/foo.php directly. The user already has a session started from main.php, so the session will be present when a user executes foo.php directly.

Response to Roonaan:

Good idea. What I neglected to mention is that I will not be able to use POST requests all of the time in my application.

Response to ThomasFranke:

I apologize for not being more specific and a little bit confusing. What I am actually doing is calling PHP scripts from a Flash application. That would be the "html page" I was refering to. It is very similar to invoking a php script from a form. I am making a request viat GET to these scripts to echo back some values (actually, binarized images in my case). Because the .swf is running on the client side, it needs to access the script coming from the user's computer.

Any ideas,

Thank You,

Bitz
0
 
LVL 3

Expert Comment

by:NewJorg
ID: 16903356
if your foo.html is foo.php, then the include-Method and the .htaccess will work fine.

Another often seen solution is to define an constant in foo.php and in the included files that shouldn't opened by users directly ask for that constant

foo.php:
define("INMYPAGE", true);
include("fooscripts/secret.php");

/fooscripts/secret.php:
if(!defined(INMYPAGE))
{
  exit("error occurred");
}
0
 
LVL 3

Accepted Solution

by:
NewJorg earned 250 total points
ID: 16903440
I thought the same like ThomasFranke, I guess it's the name :-)

Ok in the new situation, I would suggest try to filter with referer and maybe user-agent. I don't know what user-agent flash sends. Maybe you can make it more difficult to access the files, but you will have no chance to stop it completly because it will be accessed from clients (over flash) so the informations (referer, user-agent) can be faked.
0
 

Author Comment

by:BiTRaTE2600
ID: 16906234
Thank you NewJorg, I think this will do the trick!!!

Bitz
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question