Diplay page directly with php

Question

What is the best way to "NOT" display a page directly in php?

Edit

There is a page = register.php a user cant open register.php directly. Only can access from index.php > Register.php Thanks

Sorry, could you reformulate your question? Maybe give a practical example, I'm not really sure what you are trying to obtain :) — nico, May 21 '10 at 21:24
Im not sure i understand either. I mean, the easiest way to make a page not display is to just check if there is a var set, like if(isset($_GET['myvar'])){//all your HTML and the rest of the page here} — Oscar Godson, May 21 '10 at 21:29
Why would you want to limit the way people navigate your site? — Matti Virkkunen, May 21 '10 at 21:29

score 2 · Accepted Answer · edited May 23 '17 at 12:01

2

Any PHP files containing sensitive data, such as database password, should be stored outside of the document root and included where needed. That way, if an admin makes a serious mistake and the web server starts sending PHP unparsed, that data will be inaccessible.

Edit

You edited your question and it now seems you wish to prevent access to page without them coming from a particular page. You should be able to get some ideas from these questions:

deny direct access to a php file by typing the link in the url

preventing direct access to a php page, only access if redirected

edited May 23 '17 at 12:01

Community

1
1

answered May 21 '10 at 21:26

webbiedave

48,414
8
88
101

Document root : /UniServer/www Do you mean that we may insert config file outside of WWW? Thanks for help – Felicita May 21 '10 at 21:38
@Felicita: Certainly. Then just use `require` to insert them when needed. http://us.php.net/manual/en/function.require.php http://us.php.net/manual/en/function.require-once.php – webbiedave May 21 '10 at 21:41
I know the ruquire and include functions. But I want to know "should be stored outside of the document root" In the example.com is in www we may insert it outside the www. Im I write? I have included my constants from main.php that is in www (main root) . I will change this! Thanks – Felicita May 21 '10 at 21:47
Yes. So long as your webhost has not prohibited you by using things like safe_mode/open_basedir. – webbiedave May 21 '10 at 21:58

score 2 · Answer 2 · answered May 21 '10 at 21:35

I think you want something like this:

if ( $_SERVER['HTTP_REFERER'] != 'http://YOUR_SITE/index.php' ) {                                                              
   echo "Can't access this page from this referer";                                                                            
   die();                                                                                                                      
}                                                                                                                              

// go on with your register.php code

Just to add, this is easily spoofable. However, it will stop most regular users (who don't have malicious motivations). — webbiedave, May 21 '10 at 21:40

score 1 · Answer 3 · answered May 21 '10 at 21:24

1

You can put

die();

or

exit();

At the top of your PHP document. However, your question is unclear as to what you wish to accomplish.

answered May 21 '10 at 21:24

JonnyLitt

763
6
11

score 1 · Answer 4 · answered May 21 '10 at 21:38

1

You can start a session in index.php and check for a certain variable from that session in the other pages.

answered May 21 '10 at 21:38

jeroen

91,079
21
114
132

Derek · Answer 5 · 2010-05-21T21:52:26.457

1

make a file index.php

in it put

<?php
include 'register235235235235.php';
?>

make a file register235235235235.php

put whatever you want in there

As far as securing php includes, I only secure my database.php files which contain usernames and passwords.

edited May 21 '10 at 21:52

answered May 21 '10 at 21:43

Derek

4,864
5
28
38

hmmm... I don't get the point of this. What's the point of obfuscating the name of the register.php file if the user can still access the index.php file? – nico May 21 '10 at 21:53
because register.php is pretty easy to guess, but the user can't see the php code hiding the register235235235235.php. For example, google.com could have a file google.com/thisisasupersecretfile2325a.html and nobody would ever know it existed. Users can't see whats inside EVER, unless I missed a very important php class and need to revisit all my code. I guess instead of blocking the file from being viewed, it just hides it really well. I may have missed the point of the question. – Derek May 21 '10 at 22:01
yes, I see the point of obfuscating the name. But if you were to put the code of register.php in the php file containing the include the users could not see it anyways. If a user is able to see the contents of the file (e.g. by gaining access to the server) he will also know the name of the register3242342555.php file. – nico May 21 '10 at 22:20

Diplay page directly with php

5 Answers5