Prevent Direct Access to a PHP Include File

Prevent direct access to a php include file

The easiest way for the generic "PHP app running on an Apache server that you may or may not fully control" situation is to put your includes in a directory and deny access to that directory in your .htaccess file. To save people the trouble of Googling, if you're using Apache, put this in a file called ".htaccess" in the directory you don't want to be accessible:

Deny from all

If you actually have full control of the server (more common these days even for little apps than when I first wrote this answer), the best approach is to stick the files you want to protect outside of the directory that your web server is serving from. So if your app is in /srv/YourApp/, set the server to serve files from /srv/YourApp/app/ and put the includes in /srv/YourApp/includes, so there literally isn't any URL that can access them.

Prevent direct access to a php file but allow including it

Here are two options you could give a try:

<?php
/**
 * Returns true if current file is included
 */

function isIncluded() {
    $f = get_included_files();
    return $f[0] != __FILE__;
}

if(!isIncluded()) {
    // Do some stuff, eg: print some HTML
} else {
    // Show 403/error
}

?>

<?php

// You can also use (recommended)
if(__FILE__ !== $_SERVER["SCRIPT_FILENAME"]) {
    // this file is being included
}

?>

You may also opt to put the files into a directory protected by a .htaccess and a Deny from all since PHP can bypass that, but users cannot.

prevent direct url access to php file

You can do it with PHP

<?php
    /* at the top of 'check.php' */
    if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
        /* 
           Up to you which header to send, some prefer 404 even if 
           the files does exist for security
        */
        header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );

        /* choose the appropriate page to redirect users */
        die( header( 'location: /error.php' ) );

    }
?>

How to create simple prevent direct access to a php include file with .htaccess page?

Just add a string Deny from all in .htaccess file to your include directory

Or

If you want to prevent a file
Then use

<Files "global_variable.php">  
  Order Allow,Deny
  Deny from all
</Files>

Preventing direct access to php files

Get them outside the document root:

/documentroot/index.php
/inc/file1.php
/inc/file2.php
/inc/file3.php

So, there is no direct access to them whatsoever.

Prevent direct access to a php file that would be loaded in another server

The short answer is "no".

The longer answer is that you have an incorrect mental model of what is currently happening. You are imagining that when you reference the stylesheet from website 2, the request is in some way "coming from" that website. What is actually happening is this:

1. The user asks their browser to load website 2
2. The browser sends a request to the server of website 2
3. The server returns some HTML to the browser, which includes the URL where the stylesheet should be loaded from on website 1
4. The browser decides it wants to load the stylesheet, so sends a request to the server of website 1
5. The server of website 1 returns the styles
6. The browser applies the styles to its display of website 2

At no point do your two servers talk to each other; they are always receiving requests from, and sending responses to, the browser. If the server refuses the request at step 5, the browser will never know what the stylesheet contained, so will just render the page without those styles.

With this in mind, we can re-cast the question:

Can I determine why a browser is requesting a URL, to distinguish between a user typing the URL into the address bar from the stylesheet being used on one of my sites.

The answer is maybe: there is an HTTP header that browsers can send called "REFERER" (yes, that's a typo for "referrer", but one that happened so long ago it became standard), which gives the URL the request "came from" in some sense. For a directly typed URL, it will always be blank; for a stylesheet URL, it will probably be the containing page. You can access it in PHP as $_SERVER['HTTP_REFERER'], or in an Apache configuration by putting RewriteCond %{HTTP_REFERER} some-pattern-to-match in front of a RewriteRule.

However, browsers have recently become stricter about passing referrer information between domains, for privacy reasons, so it may be blank in your case.

It's also really important to note that everything in the request is under full control of the user, and everything in the response is fully visible to the user. It's trivial to send a request with a fake REFERER header once you figure out that's what's needed. It's even more trivial to look at the stylesheet while you're on the site that uses it - in most browsers, pressing F12 will pop up "developer tools" where you can see everything the server sent.

So if you're hoping to keep the styles in some way "secret", you're out of luck; the user needs to be able to see the styles for their browser to use them.

How can I protect my included php files from direct access?

The ideal way would be to place your include files outside of the webroot.

This is not always possible so make sure your include files don't 'run' any code by themselves. Adopt an Object Oriented approach where either a file contains runnable code, or it's a class file that doesn't do anything by itself.

Another alternative would be to change the extensions of your include files (to .inc for instance) and deny these from direct access with htaccess.

As a pro-tip: when you're including files always include with an absolute path:

include(dirname(__FILE__) . "/includes/template.inc");
// __FILE__ is the diskpath of the current file

and not:

include("includes/template.inc");

This will save you many headaches.

And as the other guys said, never include files from another webserver (http://), this means you're doing something fundamentally wrong :P

---

Related Topics