views:

165

answers:

6

Hey guys, I am separating some XHTML from PHP by putting the XHTML into a separate file and then using PHP's include() function within the PHP script.

This works perfectly fine, however, users are still able to access the .html file directly if they know the address. They can't really do much with it, but I would rather it not show.

I've seen some scripts in the past use some form of referrer check, is this what I would do to add some basic (Notice I said 'basic') restrictions to prevent it from being viewed by accessing it directly?

Thanks!

Clarification: I forgot to mention that I want to do this within PHP, so no web-server configuration (Moving files out of document-root, configuring web-server to disallow access, etc.). I think the most logical choice here is to use the define() constant check, that's actually indeed what I've seen in other scripts that I had forgotten, as I outlined in my post. I realize this is probably not the best solution, but given that the html file that can be access is of no particular value, the define() constant should suffice. Thanks I appreciate the responses!

+3  A: 

Just move it outside of the document root. This will not work if PHP is in Safe Mode though.

Ignacio Vazquez-Abrams
+3  A: 

Change your webserver configuration to disallow access to that file?

Nicolás
+3  A: 

No, do something like this:

index.php:

<?php

define('ALLOW_INCLUDE', true);

include('other.php');

?>

other.php:

<?php

if (defined('ALLOW_INCLUDE') === false) die('no direct access!');

// your code

?>
Alix Axel
Remember, this won't work if the files are not parsed by PHP.
Chacha102
+3  A: 

If you currently place all your files (like index.php) in /something/public_html/ you will want to move the files to /something/. That way users cannot access the files.

The /public_html/ is called your document root. That folder is mapped to example.com, and and basically the website starts there. If you move the files to above where the website starts, no one can access those files via a browser.

As Ignacio said, this will not work with include if safe mode is turned on.

Other methods are to place something at the top of the file thats says

if(!defined("RUNNING_SCRIPT"))
    die("No Direct Access Allowed");

and then in your PHP files put

 define("RUNNING_SCRIPT", true);

If RUNNING_SCRIPT is not defined, that means they are directly accessing it, and it stops the page from loading. This only works though if PHP runs on the .html files.

You could also use a .htaccess file to disallowed access to that folders.

Chacha102
By "PHP runs on the .html files", the html file outputs certain strings using php's echo, would that constitute as 'php runnin on the html file'?
Jorge Israel Peña
Unless you have modified the server, PHP only runs on `.php` files, or files included by PHP. It is simple, put `<?php echo "Test"; ?>` in the `.html` file and see if it runs when you access it directly, or if you just get the PHP code.
Chacha102
Some people create a `.htaccess` file to make PHP run on `.html` files, and sometimes the system admin will put it into the PHP configuration. But, if PHP doesn't run on the file, you can't use PHP to protected it.
Chacha102
So then is it bad practice to `include` `.html` files? I was doing this in hopes of separating concerns and it works really well, except for the part where people can access the html file directly. Configuring the web server is not an option, as this is meant to be a drop-in plugin to a very popular CMS. Is my only hope to integrate the entire xhtml into the php file and make ugly echo calls complete with tedious quote escaping?
Jorge Israel Peña
Actually, I almost completely missed this. I could just make the `.html` file `.php` and include that `define` constant check at the top, right?
Jorge Israel Peña
Including `.html` files is not, by any means a bad practice. But, if you plan on using PHP code inside of them, you might want to just rename them to `.php` files instead, and use the `define` solution to stop people from accessing them.
Chacha102
Correct, you could just rename the files :)
Chacha102
Generally I name all of the files that contain php to end in `.php`, as I might use them incorrectly otherwise.
Chacha102
Awesome, thanks again I appreciate it.
Jorge Israel Peña
+1  A: 

It's a good idea to place this as the first line.

You can also use .htaccess or drop a index.html page too as fallbacks.

<?php defined('SOME_CONSTANT_GLOBAL_TO_YOUR_APP') or die('Access denied.'); ?>
alex
A: 

may be apache access control? http://httpd.apache.org/docs/2.2/howto/access.html

Ilya Biryukov