Jump to content

prevent a user from going directly to a page


Recommended Posts

There are several methods. You could define a variable or constant in the parent file and check in the child files to make sure it's defined, you could compare the URL with the current script filename, you could get the list of currently included files and check for it there, etc.

Link to post
Share on other sites

Nearly all my scripts run in response to a form submission, so I start by checking for either a required field or the submit value and if that isn't set redirect the user either to where they came from, or to somewhere logical (i.e. if they try to visit my registration script directly, they'll land on the registration form).

Link to post
Share on other sites
There are several methods. You could define a variable or constant in the parent file and check in the child files to make sure it's defined, you could compare the URL with the current script filename, you could get the list of currently included files and check for it there, etc.
I was trying to figure out how to verify that a file was being included properly without automatically generating an ugly error message on failure (I wanted to make my own custom one). Kind of doing the same thing as the thread starter, but in the other direction.After reading this, it occurred to me that if the file was correctly included, the class it defined would exist, and if the class didn't exist, then obviously the file wasn't included right and I should trigger my custom error. So I used include() since it wouldn't generate a fatal error on failure and then checked if the class existed and defined my own fatal error function for if it didn't. And it works quite well. :)Thanks a lot for the idea - even if it wasn't intended for me. :)
Link to post
Share on other sites

As an example, Wordpress likes to use this method.

if (!empty($_SERVER['SCRIPT_FILENAME']) && 'filename.php' == basename($_SERVER['SCRIPT_FILENAME'])) {   die ('Please do not load this page directly.');}

You can just change the filename.php to the name of your included file. Then, when you include it, it won't die since the actual script that is executing is not the one you included.

Link to post
Share on other sites
keep them to your private_folder.and use .htaccess to make private_folder private.
But what if you're using a webhost, .htaccess is not allowed, and you're obviously not able to put any file outside the public web directory, but still want to make a (package-)private class?I am trying to throw an error from the class file when it detects remote inclusion, but whatever I do, the class is (ofcource) still made available at compile-time to the including file.
Link to post
Share on other sites
what exactly goes inside .htaccess? i never really understood that. is that just a file containing a set of commands that apache can interpret?
Yes. The same things you can write in httpd.conf, you can write in .htaccess. Well... to be more precise, a subset of them. Some directives are not available to .htaccess files, but the "Allow" and "Deny" and "Order" directives (which are the ones you need in this case) are. Look at the appropriate section in Apache's reference for details as to what to enter.
Link to post
Share on other sites
But what if you're using a webhost, .htaccess is not allowed, and you're obviously not able to put any file outside the public web directory, but still want to make a (package-)private class?I am trying to throw an error from the class file when it detects remote inclusion, but whatever I do, the class is (ofcource) still made available at compile-time to the including file.
Wouldn't the web host give some permissions for .htaccess files? Otherwise you couldn't do simple things like mod rewrites when using a framework like CodeIgniter.
Link to post
Share on other sites

I wouldn't know about CodeIgniter, but indeed, my host specifically does not permit .htaccess files. Its unfortunate, I know they are convenient in simple scenarios. Isn't there an alternative with PHP?

Edited by Jack McKalling
Link to post
Share on other sites

It depends on the host. Most free hosts will not give you access to change something like htaccess. Most paid hosts do. If you're with a paid host that does not allow that, keep in mind that there are several other hosts that do allow it.

Link to post
Share on other sites

Ok, I don't like the sound of that. I do need those files, don't I?I use a free host for now, I haven't looked for a paid one seeing my current project is still under development since 2005..I'm looking into custom error handling now, it looks promising. What I'd like to achieve here is cancelling execution from my included file at the detection of remote inclusion (without leaving the declared class available for the including file). It looks impossible to do that at compile time by visibility or code or something, so maybe errors then. If .htaccess can't be used for now, I should look into other sollutions, shouldn't I? :)

Edited by Jack McKalling
Link to post
Share on other sites
Ok, I don't like the sound of that. I do need those files, don't I?
I don't know, depends what you're trying to do.
What I'd like to achieve here is cancelling execution from my included file at the detection of remote inclusion
If you're trying to stop a remote server from including your PHP files, you don't need to. Try to include one of your PHP files from another server which allows HTTP includes and see what happens.
Link to post
Share on other sites

I am doing right now, but the effect does not really translate well for me, what's happening, lol? I see the default 404 error page of my webhost included on my including file at the localhost... huhEdit:Well I do want to prevent remote servers including my file yes. So don't I have to do that? Could you explain what happened?

Edited by Jack McKalling
Link to post
Share on other sites

Copy and paste the URL you are telling it to include into a browser. With that page open, go to View->Source to see the HTML source of the page. What you see there is the code that is being included. Web servers do not deliver PHP code, they deliver the output of it. When you include a file over HTTP it includes the output of the script, not the PHP source code.

Link to post
Share on other sites

Oh, that.Man I feel stupid.I obviously know regular code is executed before output is echoed, but I read and tested (on the same server :) ) that classes and functions do remain available to including files even though you interrupt execution of the included file. I didn't realise it would also count for remote inclusion.Problem solved lol - thanks

Edited by Jack McKalling
Link to post
Share on other sites
classes and functions do remain available to including files even though you interrupt execution of the included file
That's because PHP uses a 2-pass execution model I think. The first pass goes through the source and defines everything that needs to be defined, like classes and functions. The second pass is when it actually executes the code with everything defined. If you stop execution during the second pass with an exit statement or something like that, it's still going to have everything defined. That's why it doesn't matter which order or where you define classes and functions, once the first line gets executed they are all defined. The exception is if you place a definition inside a control structure like an if statement, in that case the item will actually be defined during the second pass, so in that case it does matter when and where those things get defined. e.g.:
if ( !function_exists('json_encode') ){  function json_encode($content)  {	require_once 'class.services_json.php';	$json = new Services_JSON;	return $json->encode($content);  }}

That will only define a function called json_encode if it doesn't already exist, so that will not be defined during the first pass, it will get defined during the second pass once execution reaches that line.

Link to post
Share on other sites

Thats right, the difference between compile-time and runtime. However irrationally it may look to conditionally declare functions/classes, it could be convenient in some cases. Not relevant here though. To specifically prevent misuse of a class at remote access, simply stopping execution is enough as declarations don't get passed through servers I know now.Though still it would be nice to differentiate between remote and manual access (RFI and addressbar/hyperlink), to change behavior when appropriate. If someone tries to remotely include your file, you don't really want them seeing an actual 404 error page included in their webpage, if you redirect to such a page or a non-existing file. Though that would be the best way to do it for manual access, as no one can tell the difference between actually hitting an existing file or not when they receive a 404 page. Before I knew remote inclusions also triggered the local server to execute code before it sends back, I thought I could check for remote request by checking the $_SERVER['SCRIPT_FILENAME'] against the __FILE__ constant. But at remote access these will inevitably be the same eventhough it gets included.Can't we tell the difference between manual addressbar request and remote inclusion?

Edited by Jack McKalling
Link to post
Share on other sites

I thought we already established that remote inclusion is not possible. Regardless, have a script that just prints the entire $_SERVER array and see what changes there based on how you access it.

Link to post
Share on other sites
  • 2 weeks later...

Lol. Good moderating! I receive the notification someone replied to this topic, but instead, posts were removed :) Back on topic, are you able to tell me if the SERVER global might be used to explain the difference between a remote and manual access to an included file? It is hard for me to test, I need two hosts for that. And I can't seem to really figure it out by the documentation either.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...