howto  avoid to see the result of php file

tyuret
tyuret used Ask the Experts™
on
I want that the users can only see the index.php

To do so I've placed a js file to the head of every php file

<script language="javascript" src="1.js" ></script>

And in 1.js I check like this...


 if ((window.location == window.parent.location) && window.location.href.search(/index.php/i)==-1) ) window.open('http://example.com/index.php','_self');

It seems working, but what you experts think?
Can anybody surpass this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2016
Commented:
Yes, it would be easy to bypass that.  Simply turn off JavaScript.  What are you trying to achieve with this design pattern?  If you want to avoid having people find your online data, the only good answer is to keep it offline.

Author

Commented:
I am trying to forward the users to index page even if they write something else to url.

Note: All other php files are shown as iframes in the the index page. So I only need the index page in url
I agree with Ray. The words "Javascript" and "Security" do not belong in the same sentence.

If you want to hide all other scripts then set up an .htaccess file and use the FILES directive to hide all scripts except index.php

The following is untested, but you get the idea. You can Google lots of examples of this or check the Apache foundtaion support pages

<Files ~ "^index.php$">
  Order allow,deny
  Deny from all
</Files>
"I am trying to forward the users to index page even if they write something else to url."

In that case you need to look at the mod_rewrite module.

http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule

It would be along these lines (UNTESTED)

RewriteEngine On
RewriteRule ^/(^index\.php).*$ index.php
RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Most Valuable Expert 2011
Top Expert 2016
Commented:
I think bportlock has you on the right track here.  One other suggestion is to have a "page header" script that is loaded in every page of the site.  The page header script can check to see if it is loaded in an iframe.  If not, it can simply die().
Commented:
Alternatively put all the files that you "dont want users to see" in another directory, and either protect that directory with htaccess, or put that directory outside of the document root.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial