{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《How do I make certain files accessible just for PH》','https://www.manongdao.com/q-1081547.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm building a CMS and the main page (index.php) is being built up from a lot of small files in the CMS's directory. For example, the structure could be like this:
index.php
menu/admin/content.php
config.php
requests.php
menu/tools/content.php
config.php
requests.php
menu/users/content.php
config.php
requests.php
When I access the index.php in the root directory, I get a different result based on the $_GET parameters. For example, when I access index.php?section=tools, the index file loads up the content, cofnig and requests files from menu/tools/ folder.
Now to the problem. The index.php page itself is accessible just for the logged in users, but for security reasons, I'd like to disable everything in menu folder from being accessed by any other way, than by php's include function.
To demonstrate what could happen: If I want to delete something, I use index.php?section=tools&delete=5, and in the menu/tools/requests.php file, I would check if $_GET['delete'] is set and then delete ID of 5 from the DB. Now the problem is that, if someone knew the actual structure, (s)he could access the requests.php file like this: site.com/admin/menu/tools/requests.php?delete=5, and hack the site that way.
Is there a way to prevent this kind of possible attacks? Something to deny access for the files in menu folder, but still let them be accessed from my index.php file? Htaccess maybe? I really don't feel like putting a check (if session/cookie is set) to every single file in the 'menu' folder, although that would be a possible solution.
Create a .htaccess in the folder(s) you wan't to deny access to containing the following:
The best would be to have the folder outside of the web root, though.
First off, if someone were to manually add the GET arguments and "hack" the site there is a problem. In the script, you should be verifying the authentication of the user trying to perform these actions, and if they are authenticated then there should be no problem. I don't think anyone is going to cause problems deleting something via GET param, when they can do it on the interface themselves.
There are solutions the way you asked, but they each have their own concerns...
CodeIgniter works by setting a variable, and then on the head of each script,
You could also check $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if its index.php, else exit.
The best way is to move the
menufolder to somewhere outside the document root of the webserver. That way, no URL maps tomenu/tools/requests.phpand your only safety concern is what you do inindex.php