Hello there, first of all hi everyone, this is my first post here.

i'm pretty new to PHP but i do know enough about programming to understand advices at any level.

Here is my question:

I've done a login algorythm which is working fine, everything is managed by an idex.php file in which using different criteria i'm importing different pages depending on the user action.

now, all is fine and pretty simple but i started wondering how to deny the direct access to php files.

For example, let's say that after a login session variable check i'm importing in the index.php file the add.php file. I want to impose that a person can access to add.php only passing through index.php and if they type /add.php it displays an error message.

One solution i was wondering consist of writing a simple session check in the beginning of the the add.php PHP script, if the session is defined keeps working, if not redirect to index.php.

This solution is fine in order to prevent unauthorized access, but still if a user that made the login correctly than type add.php it will pass the check, display the add.php file and the whole program will be compromised.

I found as possible solution something here:

http://www.pixel2life.com/forums/index.php?showtopic=27107

But as often happen the discussion is pretty old and i was wondering if any possible alternative was suitable to the problem.
I'd like to not touch the .htaccess file as i'm not an expert, actually even if i'm working on a private server i'm not sure my provider give access to that file.

Thanks a lot for your help, cheers

If your trying to embed a login system or are using the url rewrite module and don't want the user to access the real location you could allways assign a cookie check if the cookie exists. For example:

<?php
setcookie('google_analytics',time(),time()+(60*60*24));
if (isset($_COOKIE['google_analytics'])) {
die('Access denied!');
}

This will allow the server to access the page but nobody else. Especially handy for when rewriting url's.

Thanks a lot for your help!

I found this solution, closer to what i was thinking about:

if ( basename($_SERVER['SCRIPT_NAME']) == 'main.php' ) { 
    header('HTTP/1.1 403 Forbidden'); 
    echo "<h1>Access denied</h1>"; 
    exit; 
}

i just hope this will be helpful in future to someone else.

Where do I put this PHP Syntax posted by Jasha? I have tried putting it above the HTML code of the page, below it, and inside of it before the content. However the page still loads when the address is typed directly into the address bar.

If I try to use the sytax posted by Cwarn, I cannot seem to get it to access the secure page from the log in page, but it does block it from being typed in the address bar.

In jasha's code you need to replace 'main.php' with the name of the PHP file that you don't want directly accessed. Then put it at the top of your index.php. It must go before any other output is sent.

EvolutionFallen,

I had attempted that and it did not work for me. However, I did find a way to achieve this. I used cookies and in case anyone else needs it, here is what I did.

In my db.php file, which holds most of the actions for my log in system, I placed this code as an action when the user logs in:

setcookie("username", "$username", time()+3600);

Then on the page I wanted to restrict access too, I placed the following code:

<?php
include "db.php";
  if (isset($_COOKIE["username"])) 
        echo "Welcome " . $_COOKIE["username"] . "!" ;
else 
       header("Location: nogo.php");
  ?>

If the user has logged in, it welcomes them by user name and if they are not, it redirects them to nogo.php page which requests they register or log in to continue.


Again, thank you for your reply.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.