0

Currently learning about PHP and using include to include page elements such as 

include('menubar.php');
include('content.php');
include('footer.php');

which are all called by from say private.php

I'm wondering what you think it's the most convenient way of securing these pages in the case of typing in example.com/content.php

I'm currently using something like

<?php //
require("common.php"); 

// Check to see if the user is logged in
if( empty($_SESSION['user']) || $_SERVER['PHP_SELF'] == "content.php") 
{ 
    // if either is true redirect to index.php
    header("Location: index.php"); 
    die("Redirecting to index.php"); // login page
}

But wanted to know there is anything else I could/should do?

Note: $_SESSION['user'] is validated at the beginning of each session, or on login.

denski
  • 1,768
  • 4
  • 17
  • 35
  • For ex if you're using apache you could use htaccess to deny everything but your entry point like in this [post](http://stackoverflow.com/questions/1340001/deny-direct-access-to-all-php-files-except-index-php) – Dan Ionescu Mar 03 '17 at 21:31
  • Thanks Dan, I want to be able to design the login page so I'm staying away from htaccess. – denski Mar 04 '17 at 02:03

2 Answers2

1

The most convenient way in my opinion would be to put the files outside your www-root, and include them from there. So the file structure would be something like this:

/some-folder
    common.php
    /www-root
        -index.php

And you would include the file like this from index.php:

include("../common.php");

This way, they are not directly accessible from anywhere.

1615903
  • 32,635
  • 12
  • 70
  • 99
1

This is also possible using .htaccess file. @1615903's answer heavily relies on this.

Understanding this will clear the complete concept.

A request comes in (from the user's web browser). Your web server (in this example, Apache) receives this. First, it checks the permissions. Then it looks through the rest of the configuration, and eventually maps the request URI to the filesystem. Now, finally, it can check permissions as well as .htaccess.

If any of those permission checks fails (e.g., deny from all), Apache stops processing the request, and sends back an error (or request for username & password in the case of HTTP Basic authentication).

Once all the permission checks pass, Apache looks at the file, and notices that its a .php file. Somewhere in your (or your web host's) Apache config, there is an AddHandler directive that tells Apache to pass this request on to the PHP engine (which could be mod_php, or via fast cgi). (For most files, it instead sends the contents of the file to the browser. But script files are special, because of that AddHandler.)

Now, PHP reads your script file. It then also reads your include files directly. This doesn't go back through Apache, so things like .htaccess do not apply. It also means that your PHP includes do not need to be in your document root. They can be anywhere that the PHP process can access (based on UNIX permissions and PHP configuration). Setting an include_dir in your php.ini makes it easy to put these wherever.

Client-side JavaScript is run by the user's browser. It isn't interpreted server-side (like PHP is). So the user must be able to access it, just like the user must be able to access your .html files.

So, in short:

You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all.

You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).

Ref: protect php includes (with htaccess?)

Community
  • 1
  • 1
Rahul Patel
  • 639
  • 6
  • 12
  • Having read this Dan's comment above on my original question makes much more sense now. Thanks for this. It's very helpful. – denski Mar 06 '17 at 13:29