0

I would like to disallow users to access directly to a PHP script on my website.

This script should instead be accessed from other scripts on the website.

For example, "somepage.php" can call "upload.php", but users are not allowed to type mywebsite.com/upload.php. Unfortunately I can't move my script to a specific folder.

Improve this question
2
  • Are you sure you don't want to use if( !defined(CONSTANT) ) die; routine? You would define that constant in your other scripts, which will be able to add that other script then. Commented Dec 14, 2013 at 12:06
  • If possible, I would like to stop access directly from htaccess without changing scripts. If not, I may consider this possibility anyway. Commented Dec 14, 2013 at 12:14

2 Answers 2

Reset to default
1

Ok, you can do that with the following:

<Files yourfile.inc.php> order allow,deny deny from all </Files>

However, i still suggest that you do that from within the PHP, to do that you add to your include file:

if ( !defined( 'YOURPROGRAM' ) ) { echo <<<EOT You cannot display this file EOT; exit( 1 ); }

And then in the files that you wish to have access to this file you would need to do:

define( 'YOURPROGRAM', 1 );

This way your code will be sharable on several platforms, including ngynx, etc.

References: http://htpasswdgenerator.com/apache/htaccess.html and MediaWiki code.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks for sharing both solutions Volodya, I didn't think about possible issues caused from different platforms.
I'm sorry to prompt you again, but I'm trying the htaccess solution and it blocks all access to my php file (even from other scripts inside website). How can I do to protect this file only from direct access and let other scripts to use it?
How are you accessing it? With require_once?
Actually, I've adopted the PHP solution but I was curious to try the htaccess solution too. I've inserted the code you've posted (adapted to my upload file name) but the script is disallowed also internally. I've tried to add "allow from [website IP address]" but it still doesn't work.
How are you accessing it?
|
0

As per the comment in my other answer it has become clear that the question actually asked something different. Since i feel that the other answer relates to the question as originally asked, i do not want to edit that one, but rather add this additional answer.

This one will answer: How do i stop a different site from deep linking a page that is being displayed within an iframe on mine?

To do that correctly it is possible to use PHP Sessions. In your main page you would then initiate a session, this user would only be able to view the "inner" page if the session has in fact started.

Let's say you have two pages: index.php and inner.php. You will put the following in the beginning of index.php:

if (session_status() !== PHP_SESSION_ACTIVE) session_start();

In the inner.php you will have:

if (session_status() !== PHP_SESSION_ACTIVE) die("Deep linking detected");

And you definitely cannot do anything like this from htaccess or any other place outside of the code of the pages themselves.

Reference: http://www.php.net/manual/en/function.session-status.php

Improve this answer

2 Comments

You're right Volodya, in fact to let the PHP solution work, I tested if the administrator was logged in (using sessions). Thanks for the clarification and the new answer.
I'm glad i could help. But in the future please state much more explicitely what you are trying to achieve. Sometimes it's best to put it in terms of the sequence "I want the user to come to the page1 which has this code and see this, but when they come and load2 they should see the error like this".

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.