Bdtjtk

Add this to the page that you want to only be included

<?php

if(!defined('MyConst')) {

   die('Direct access not permitted');

}

?>

then on the pages that include it add

<?php

define('MyConst', TRUE);

?>

I have a file that I need to act differently when it's included vs when it's accessed directly (mainly a print() vs return()) Here's some modified code:

if(count(get_included_files()) ==1) exit("Direct access not permitted.");

The file being accessed is always an included file, hence the == 1.  

The best way to prevent direct access to files is to place them outside of the web-server document root (usually, one level above). You can still include them, but there is no possibility of someone accessing them through an http request.

I usually go all the way, and place all of my PHP files outside of the document root aside from the bootstrap file - a lone index.php in the document root that starts routing the entire website/application.

An alternative (or complement) to Chuck's solution would be to deny access to files matching a specific pattern by putting something like this in your .htaccess file

<FilesMatch ".(inc)$">

    Order deny,allow

    Deny from all

</FilesMatch>

1: Checking the count of included files

if( count(get_included_files()) == ((version_compare(PHP_VERSION, '5.0.0', '>='))?1:0) )

{

    exit('Restricted Access');

}

Logic: PHP exits if the minimum include count isn't met. Note that prior to PHP5, the base page is not considered an include.

2: Defining and verifying a global constant

// In the base page (directly accessed):

define('_DEFVAR', 1);



// In the include files (where direct access isn't permitted):

defined('_DEFVAR') or exit('Restricted Access');

Logic: If the constant isn't defined, then the execution didn't start from the base page, and PHP would stop executing.

3: Remote address authorisation

// Call the include from the base page(directly accessed):

$includeData = file_get_contents("http://127.0.0.1/component.php?auth=token");



// In the include files (where direct access isn't permitted):

$src = $_SERVER['REMOTE_ADDR']; // Get the source address

$auth = authoriseIP($src); // Authorisation algorithm

if( !$auth ) exit('Restricted Access');

The drawback with this method is isolated execution, unless a session-token provided with the internal request. Verify via the loop-back address in case of a single server configuration, or an address white-list for a multi-server or load-balanced server infrastructure.

4: Token authorisation

Similar to the previous method, one can use GET or POST to pass an authorization token to the include file:

if($key!="serv97602"){header("Location: ".$dart);exit();}

A very messy method, but also perhaps the most secure and versatile at the same time, when used in the right way.

5: Webserver specific configuration

Most servers allow you to assign permissions for individual files or directories. You could place all your includes in such restricted directories, and have the server configured to deny them.

For example in APACHE, the configuration is stored in the .htaccess file. Tutorial here.

Note however that server-specific configurations are not recommended by me because they are bad for portability across different web-servers. In such cases where the deny-algorithm is complex or the list of denied directories is rather big, it might only make reconfiguration sessions rather gruesome. In the end it's best to handle this in code.

6: Placing includes in a secure directory OUTSIDE the site root

Least preferred because of access limitations in server environments, but a rather powerful method if you have access to the file-system.

//Your secure dir path based on server file-system

$secure_dir=dirname($_SERVER['DOCUMENT_ROOT']).DIRECTORY_SEPARATOR."secure".DIRECTORY_SEPARATOR;

include($secure_dir."securepage.php");

Logic:

• The user cannot request any file outside the htdocs folder as the links would be outside the scope of the website's address system.


• The php server accesses the file-system natively, and hence can access files on a computer just like how a normal program with required privileges can.


• By placing the include files in this directory, you can ensure that the php server gets to access them, while hotlinking is denied to the user.


• Even if the webserver's filesystem access configuration wasn't done properly, this method would prevent those files from becoming public accidentally.

Please excuse my unorthodox coding conventions. Any feedback is appreciated.

Actually my advice is to do all of these best practices.

• Put the documents outside the webroot OR in a directory denied access by the webserver
  AND


• Use a define in your visible documents that the hidden documents check for:

      if (!defined(INCL_FILE_FOO)) {

          header('HTTP/1.0 403 Forbidden');

          exit;

      }

This way if the files become misplaced somehow (an errant ftp operation) they are still protected.

I had this problem once, solved with:

if (strpos($_SERVER['REQUEST_URI'], basename(__FILE__)) !== false) ...

but the ideal solution is to place the file outside of the web-server document root, as mentioned in another anwser.

You'd better build application with one entrance point, i.e. all files should be reached from index.php

Place this in index.php

define(A,true);

This check should run in each linked file (via require or include)

defined('A') or die(header('HTTP/1.0 403 Forbidden'));

The easiest way is to set some variable in the file that calls include, such as

$including = true;

Then in the file that's being included, check for the variable

if (!$including) exit("direct access not permitted");

What Joomla! does is defining a Constant in a root file and checking if the same is defined in the included files.

defined('_JEXEC') or die('Restricted access');

or else

one can keep all files outside the reach of an http request by placing them outside the webroot directory as most frameworks like CodeIgniter recommend.

or even by placing an .htaccess file within the include folder and writing rules, you can prevent direct access.

debug_backtrace() || die ("Direct access not permitted");

I wanted to restrict access to the PHP file directly, but also be able to call it via jQuery $.ajax (XMLHttpRequest). Here is what worked for me.

if (empty($_SERVER["HTTP_X_REQUESTED_WITH"]) && $_SERVER["HTTP_X_REQUESTED_WITH"] != "XMLHttpRequest") {

    if (realpath($_SERVER["SCRIPT_FILENAME"]) == __FILE__) { // direct access denied

        header("Location: /403");

        exit;

    }

}

Besides the .htaccess way, I have seen a useful pattern in various frameworks, for example in ruby on rails. They have a separate pub/ directory in the application root directory and the library directories are living in directories at the same level as pub/. Something like this (not ideal, but you get the idea):

app/

 |

 +--pub/

 |

 +--lib/

 |

 +--conf/

 |

 +--models/

 |

 +--views/

 |

 +--controllers/

You set up your web server to use pub/ as document root. This offers better protection to your scripts: while they can reach out from the document root to load necessary components it is impossible to access the components from the internet. Another benefit besides security is that everything is in one place.

This setup is better than just creating checks in every single included file because "access not permitted" message is a clue to attackers, and it is better than .htaccess configuration because it is not white-list based: if you screw up the file extensions it will not be visible in the lib/, conf/ etc. directories.

If more precisely, you should use this condition:

if (array_search(__FILE__, get_included_files()) === 0) {

    echo 'direct access';

}

else {

    echo 'included';

}

get_included_files() returns indexed array containing names of all included files (if file is beign executed then it was included and its name is in the array).
So, when the file is directly accessed, its name is the first in the array, all other files in the array were included.

<?php

if (eregi("YOUR_INCLUDED_PHP_FILE_NAME", $_SERVER['PHP_SELF'])) { 

 die("<h4>You don't have right permission to access this file directly.</h4>");

}

?>

place the code above in the top of your included php file.

ex:

<?php

if (eregi("some_functions.php", $_SERVER['PHP_SELF'])) {

    die("<h4>You don't have right permission to access this file directly.</h4>");

}



    // do something

?>

The following code is used in the Flatnux CMS (http://flatnux.altervista.org):

if ( strpos(strtolower($_SERVER['SCRIPT_NAME']),strtolower(basename(__FILE__))) )

{

    header("Location: ../../index.php");

    die("...");

}

if (basename($_SERVER['PHP_SELF']) == basename(__FILE__)) { die('Access denied'); };

My answer is somewhat different in approach but includes many of the answers provided here. I would recommend a multipronged approach:

1. .htaccess and Apache restrictions for sure


2. defined('_SOMECONSTANT') or die('Hackers! Be gone!');

HOWEVER the defined or die approach has a number of failings. Firstly, it is a real pain in the assumptions to test and debug with. Secondly, it involves horrifyingly, mind-numbingly boring refactoring if you change your mind. "Find and replace!" you say. Yes, but how sure are you that it is written exactly the same everywhere, hmmm? Now multiply that with thousands of files... o.O

And then there's .htaccess. What happens if your code is distributed onto sites where the administrator is not so scrupulous? If you rely only on .htaccess to secure your files you're also going to need a) a backup, b) a box of tissues to dry your tears, c) a fire extinguisher to put out the flames in all the hatemail from people using your code.

So I know the question asks for the "easiest", but I think what this calls for is more "defensive coding".

What I suggest is:

1. Before any of your scripts require('ifyoulieyougonnadie.php'); (not include() and as a replacement for defined or die)


2. 
   

   In ifyoulieyougonnadie.php, do some logic stuff - check for different constants, calling script, localhost testing and such - and then implement your die(), throw new Exception, 403, etc.

   
   
   

   I am creating my own framework with two possible entry points - the main index.php (Joomla framework) and ajaxrouter.php (my framework) - so depending on the point of entry, I check for different things. If the request to ifyoulieyougonnadie.php doesn't come from one of those two files, I know shenanigans are being undertaken!

   
   
   

   But what if I add a new entry point? No worries. I just change ifyoulieyougonnadie.php and I'm sorted, plus no 'find and replace'. Hooray!

   
   
   

   What if I decided to move some of my scripts to do a different framework that doesn't have the same constants defined()? ... Hooray! ^_^

   
   

I found this strategy makes development a lot more fun and a lot less:

/**

 * Hmmm... why is my netbeans debugger only showing a blank white page 

 * for this script (that is being tested outside the framework)?

 * Later... I just don't understand why my code is not working...

 * Much later... There are no error messages or anything! 

 * Why is it not working!?!

 * I HATE PHP!!!

 * 

 * Scroll back to the top of my 100s of lines of code...

 * U_U

 *

 * Sorry PHP. I didn't mean what I said. I was just upset.

 */



 // defined('_JEXEC') or die();



 class perfectlyWorkingCode {}



 perfectlyWorkingCode::nowDoingStuffBecauseIRememberedToCommentOutTheDie();

Do something like:

<?php

if ($_SERVER['SCRIPT_FILENAME'] == '<path to php include file>') {

    header('HTTP/1.0 403 Forbidden');

    exit('Forbidden');

}

?>

I found this php-only and invariable solution which works both with http and cli :

Define a function :

function forbidDirectAccess($file) {

    $self = getcwd()."/".trim($_SERVER["PHP_SELF"], "/");

    (substr_compare($file, $self, -strlen($self)) != 0) or die('Restricted access');

}

Call the function in the file you want to prevent direct access to :

forbidDirectAccess(__FILE__);

Most of the solutions given above to this question do not work in Cli mode.

You can use the following method below although, it does have a flaw, because it can be faked, except if you can add another line of code to make sure the request comes only from your server either by using Javascript.
You can place this code in the Body section of your HTML code, so the error shows there.

<?

if(!isset($_SERVER['HTTP_REQUEST'])) { include ('error_file.php'); }

else { ?>

Place your other HTML code here

<? } ?>

End it like this, so the output of the error will always show within the body section, if that's how you want it to be.

i suggest that don't use of $_SERVER for security reasons .

You can use a variable like $root=true; in first file that included another one.

and use isset($root) in begin of second file that be included.

What you can also do is password protect the directory and keep all your php scripts in there, ofcourse except the index.php file, as at the time of include password won't be required as it will be required only for http access. what it will do is also provide you the option to access your scripts in case you want it as you will have password to access that directory. you will need to setup .htaccess file for the directory and a .htpasswd file to authenticate the user.

well, you can also use any of the solutions provided above in case you feel you don't need to access those files normally because you can always access them through cPanel etc.

Hope this helps

The easiest way is to store your includes outside of the web directory. That way the server has access to them but no outside machine. The only down side is you need to be able to access this part of your server. The upside is it requires no set up, configuration, or additional code/server stress.

<?php       

$url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];

  if (false !== strpos($url,'.php')) {

      die ("Direct access not premitted");

  }

?>

I didn't find the suggestions with .htaccess so good because it may block
other content in that folder which you might want to allow user to access to,
this is my solution:

$currentFileInfo = pathinfo(__FILE__);

$requestInfo = pathinfo($_SERVER['REQUEST_URI']);

if($currentFileInfo['basename'] == $requestInfo['basename']){

    // direct access to file

}

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

will do the job smooth

You can use phpMyAdmin Style:

/**

 * block attempts to directly run this script

 */

if (getcwd() == dirname(__FILE__)) {

    die('Attack stopped');

}

this is what google uses in their php examples see here

if (php_sapi_name() != 'cli') {

  throw new Exception('This application must be run on the command line.');

}