how to block a user from viewing a specific page

sarmenhb · 04-24-2008, 05:16 AM

im wondering how i would be able to program this.

say i have pages that dont have anything on it but has backend code.

how do i block people from typing that page into the url and view it?

delayedinsanity · 04-24-2008, 06:15 AM

a) Don't put it in your document root. Have scripts call it from a different location.

b) If you have an Apache server, deny it with .htaccess or in your httpd.conf

c) make sure the file extension is .php so that the code will be parsed and unviewable in the browser.

d) put up a stop sign.

e) password protect the directory (view .htpasswd or whatever your server uses)

f) disable indexes.

g) if you have a user authentication system and the script is an administration script of some sort, check for administrative authorization or kill the script if it's not found.

It all depends on the specifics of what you're doing, and why you're doing it.
-m

maZtah · 04-24-2008, 10:52 AM

PHP Code:


			
// Define something in your main files which are accessable (like index.php)

define('SYSPATH', 'path_or_something');



// Now put in every include file a check if the main file is loaded

defined('SYSPATH') or die('No direct script access.');

You can define whatever you like, this is just how Kohana does the trick :)

Village Idiot · 04-24-2008, 01:53 PM

At the beginning of every file, put something like

PHP Code:


			
define('IN_SCRIPT',true);

And at the beginning of every source file that you dont want directly accessed.

PHP Code:


			
if(!IN_SCRIPT){die("No Direct Access");}

Evulness · 04-24-2008, 02:05 PM

i've been using...

Code:

//on index page
define ('SysFile', '1');

//on every page that is to only be viewed if accessed via index.php before EVERYTHING...
if (SysFile != '1')
{
die ('Attempting to access Restricted file!');
}

that will check if SysFile = 1, if SysFile isn't defined, script dies.
You could do a header('Location: h*ttp://site.com/index.php instead of die()

something i just thought of... writing a little script to log attempts to access restricted files. http_refferer, ip, time , etc... so you can see when, who... i'll post something about this later, cause i just had some crazy ideas heh

sarmenhb · 04-25-2008, 01:31 AM

on the top of my page i put

define('accesslevel', true);
if(!accesslevel) { header("Location: index.php");

and i loaded the page and nothing happend.
what am i missing

(well obviously it wont work so what else do i need to put)

delayedinsanity · 04-25-2008, 01:52 AM

Well, if those are both on the same page, then ACCESSLEVEL is true, and therefore the if statement doesn't execute.

Just a note for security purposes, if you want to make sure that nobody is going to view your page, you may want to add exit() or die() after the header() statement. Good ole lynx doesn't care about your header's if it doesn't want to.
-m

sarmenhb · 04-25-2008, 02:02 AM

this worked for me

define('noaccess', false);
if(!noaccess) { header("Location: login.php"); }

delayedinsanity · 04-25-2008, 02:20 AM

PHP Code:


			
if (!NOACCESS) {
    header("Location: http://www.yoursite.com/login.php");
    die("aaaAAAaaaUUUuuuUuurrgh.");
}

Nor · 04-25-2008, 03:02 AM

Also don't forget the

PHP Code:


			
if(!defined('NOACCESS'))
{
//
}