views:

102

answers:

2

My sample index.php

include 'class.php';
$x = new class;
include $_GET['page'].'.php'; //checks if isset file_exists and in_array of valid file names before including;

I want to make sure the page being included can't be accessed directly. Below are some examples of code I'm placing on the first line of code on the files that are being included within index.php.

I've tried: (if not being included within index.php die)

if($_SERVER['SCRIPT_NAME']!='/index.php') die;

and (if the class that's defined in the index is not set die);

if(!isset($x)) die;

What's your favorite way to make pages being included within php inaccessible when viewed directly?

+4  A: 

define() and defined().

Or just put them outside of the document root.

Ignacio Vazquez-Abrams
is that weaker, stronger, or similar to checking to see if a variable isset in the file it's being included in?
John
It's stronger, because under certain (admittedly broken) conditions variables can be set by adding them to the query string.
Ignacio Vazquez-Abrams
even with globals off?
John
Let me get this straight, you are giving security advice and you didn't see the massive vulnerability in his code. FAIL!
Rook
and, you fail again..
John
+1  A: 
if($_SERVER['SCRIPT_FILENAME'] == __FILE__) {
     die("Go Away");
 }

Sorry, updated it to be right.

Anthony
is it possible to spoof any of the two variables?
John
Let me get this straight, you are giving security advice and you didn't see the massive vulnerability in his code. FAIL!
Rook
dude you fail.. learn how to read.
John
Which massive vulnerability did I have? And actually, this is just one way, I thought it was just one of those "throw out some methods" type questions.
Anthony
Anthony, he's talking about my "sample" code above. He didn't read the comment after the "include" line in my sample code. So he thinks im just including anything someone types in the $_GET['page'] variable. Just ignore him dude, you're totally right, I just wanted to get some opinions and you did just that, thanks.
John
i like your method better than mine, but im going to give ignacio the vote just because I don't like relying on the $_SERVER variable, but thanks for taking the time to post something.
John