Keeping PHP Includes Secure

Question

My website file structure currently looks like this:

• marketplace.php
• cats.php

On marketplace.php I have a 4 categories which link to $_GET variables (e.g marketplace.php?cat=[1-4]).

On the top of the script for marketplace.php, I have a if statement that looks for the cat variable, checks if it is above zero, and so on.

If cat contains a number greater than zero, it will include cats.php and then show data according to that category number.

How do i make it so that people cannot go to cats.php by entering it in their browser?

Answer 1

Move cats.php out of the document root, but keep it on the include path.

Answer 2

If I get your question correctly, you want to restrict users to access the included files (core files).

You can restrict them via .htaccess, or eventually define a constant (IN_APP), which will be checked in every file included. If constant isn't defined, just give an error to the user (404) that says the page doesn't exist

Answer 3

There are a couple ways do do this. If .htaccess is enabled on your server you could use it to block access to cat.php, or block access to an entire folder and put all your includes in there.

You could also put cat.php outside your web root (above public_html or whatever your folder is called).

Answer 4

Most common and simple way. Define a constant in your main file

define('MY_APP_IS_RUNNING', true);

And secure the include by adding

if(!defined('MY_APP_IS_RUNNING') {
   die('This is a include file not for public access');
}

A little old school, but works.

Edit

The Basic idea is, all your includes /private files depend on a constant you define in your public script. If and only if this constant is defined your includes will execute.

in marketplace.php you would write

define('MY_APP_IS_RUNNING', true);
include_once 'cat.php';

and your cat.php will simply look whether 'MY_APP_IS_RUNNING' is defined or not. This will add basic security to your scripts and prevent direct external calls.