prevent direct url access to php file

2020-01-28 03:20发布

I have a php file say "check.php" in my website and it is executed when a form is submitted.

say my website is "myweb.com" and the php file is in a directory "PHP"

I want to prevent direct url access to the "check.php" file i.e. if anyone types the url "myweb.com/PHP/check.php" ,then the php file should not be executed and it should return a error message instead.

I tried to prevent the access by setting a rule in .htaccess ,but it blocks the php even when I try to submit the form.

.htaccess rule :

RewriteEngine on 
RewriteCond %{THE_REQUEST} \.php[\ /?].*HTTP/ 
(.*)\.php$ /index.html [L] 

Is there any possible way to do it ?

7条回答
Rolldiameter
2楼-- · 2020-01-28 03:25

You can do it with PHP

<?php
    /* at the top of 'check.php' */
    if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
        /* 
           Up to you which header to send, some prefer 404 even if 
           the files does exist for security
        */
        header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );

        /* choose the appropriate page to redirect users */
        die( header( 'location: /error.php' ) );

    }
?>
查看更多
Deceive 欺骗
3楼-- · 2020-01-28 03:26

this is what google uses in their php examples

if (php_sapi_name() != 'cli') {
  throw new \Exception('This application must be run on the command line.');
}
查看更多
▲ chillily
4楼-- · 2020-01-28 03:36

Try this in Root/.htaccess :

RewriteEngine on


RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule ^php/check.php$ - [NC,R=404,L]

This will return 404 not found if check.php is not accessed by form post method.

查看更多
我欲成王,谁敢阻挡
5楼-- · 2020-01-28 03:42

Put this code at the top of check.php:

if(!isset($_SERVER['HTTP_REFERER'])){
    // redirect them to your desired location
    header('location:../index.php');
    exit;
}

If the user access check.php by type the URL directly, it will redirect them to your desired location.

查看更多
甜甜的少女心
6楼-- · 2020-01-28 03:46

I tried the selected answer but i ran into some issues implementing it, specially if i wanted to return values from functions inside the PHP file using GET with Ajax.

After doing quite an extensive research on other solutions (and a little testing of my own), i came up with the following code:

<?php
$currentPage = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

if ($_SERVER['REQUEST_METHOD'] == "GET" && strcmp(basename($currentPage), basename(__FILE__)) == 0)
{
    http_response_code(404);
    include('myCustom404.php'); // provide your own 404 error page
    die(); /* remove this if you want to execute the rest of
              the code inside the file before redirecting. */
}
?>

I found that the code above worked as i wanted and i don't think it would have any problems with multiple browser like the other answer was pointed out to have. I also don't think it would have any security issues, but i could be wrong (please tell me if i am (and why)), i'm relatively new to web programming.

Just add that code on top of every file you would want to block direct URL access (before everything, even requires, includes and session_starts) and you are good to go.

查看更多
祖国的老花朵
7楼-- · 2020-01-28 03:49
if (basename($_SERVER['SCRIPT_FILENAME']) === 'common.php')
{
    exit('This page may not be called directly!');
}
查看更多
登录 后发表回答