Reputation: 72
Prevent direct URL Access of PHP files in the Web Application
All of the php files in the application are directly accessible through URL. Adding this code at the start of my php files works for few of them which are being requested with POST method:
if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
die(header( 'location:/webapp/postings' ));
}
But, I do have some php files which are being requested through GET method and the above code doesn't work for them, because of which I came with the following code:
if(!isset($_SERVER['HTTP_REFERER'])){
die(header('location:/webapp/postings'));
}
I know that the HTTP_REFERER coudn't be trusted. Any other options?
can someone please tell me a generic way of preventing direct URL access without altering the code across all the php files.
Note: My Application is running on IIS 7.5 Web server.
Upvotes: 3
Views: 2014
Answers (1)
Reputation: 34113
Don't do this:
public_html/
includes/
dont_access_me_bro.php
...
index.php
...
Do this instead:
includes/
dont_access_me_bro.php
...
public_html/
index.php
...
Explanation
Keeping your source files outside of the document root guarantees that users will be unable to access them directly by changing the URI on their HTTP request. This will not protect against LFI exploits.
To find out where your document root is, this handy PHP script can help:
var_dump($_SERVER['DOCUMENT_ROOT']);
If this prints out string (25) "C:\htdocs\www\example.com", you don't want to store your files in C:\htdocs\www\example.com or any subdirectory of C:\htdocs\www\example.com.
If you place user-provided files inside your document root, you're creating the risk that someone will access them directly from their browser, and if Apache/nginx/etc. screws something up, their uploaded file may be executed as code.
So you would not want your files to be inside C:\htdocs\www\example.com\uploaded, you would want something like C:\uploads\example.com\.
This is covered in-depth in this article on secure file uploads in PHP.
Upvotes: 1
Related Questions
- How to prevent direct access to php pages through URL
- Prevent PHP code from executing if form was not submitted
- Deny Direct Access to JavaScript Files in IIS Web Server
- prevent direct url access
- forbid direct access to php files (MVC)
- Restricting PHP directory access in IIS7
- Prevent direct url access to files
- How to block HTTP access to file
- Restricting direct access to php file
- Preventing direct access to php files