10

JAN

Block access to php files

by krike in PHP, Tutorials

In this tutorial I will quickly teach you how to block direct access to certain php pages.

Author: krike

I'm an enthousiast web designer/developer who's trying to learn as much as possible and likes to share his knowledge with others.

When you are making a script and you have some files that only need to run in the background or only contain a part of your code (eg: in wordpress the comment.php file) then you would like to block direct access to those files.

I used to use this code

if(empty($pageURL))
{
	$pageURL = 'http';
	if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')
	{
		$pageURL .= 's';
	}
	$pageURL .= '://';
	if($_SERVER['SERVER_PORT'] != '80')
	{
		$pageURL .= $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$_SERVER['REQUEST_URI'];
	}
	else
	{
		$pageURL .= $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
	}
}

It will catch the current url I’m browsing and I could use this to block access to the file, but that’s before I found that there was a much easier way to do this using the $_SERVER['script_filename'] global variabel.

The code you should be using

Create a new php file and add the following code

<?php
echo $_SERVER['SCRIPT_FILENAME'];
?>

If you would preview this in your browser you should have something similar to this

Now we actually only want the filename, we will use the basename(); function to this for us

<?php
echo basename($_SERVER['SCRIPT_FILENAME']);
?>

You should have the following in your browser

Now you can use this in an if-statement to check if the user is browsing this file directly, and if he is then block the access to the page

<?php
//if the current file the user is browsing for is the file block.php then block the access
if(basename($_SERVER['SCRIPT_FILENAME']) == "block.php"):
	echo "Sorry but you cannot browse this file directly!";
	exit;//this will make sure the browser stops here and won't go any further
endif;
?>

<p>If you are browsing this file directly you will not see this text, but if you are including
 this file in another file using the include(); function you should see this text.</p>

You should see the error message and not the code below the if-statement

Conclusion

You have now learned how to block access to certain php files, you might want to do this for php files that only contain a part of the code (ie: partial comment template) otherwise fattal errors might be visible to the users and of course hackers would take advantage of this to attack your website. So if you are certain a certain php file should not be browsed directly the best thing to do is use the script above to block the access.

Of course if you are familiar with Wordpress you might have seen a similar code in the comments.php

But you can also use $_SERVER['SCRIPT_FILENAME']; to check the current page you are browsing and in so doing highlight the link in the navigation. So the user browsing your site knows on which page he is without looking at the url.

the code could look like this:

<?php
//initiate class_current variable
$class_current="";

//store current url in a variable
$current_page = basename($_SERVER['SCRIPT_FILENAME']);

//check which page the user is browsing
switch($current_page):
	case "index.php":
		$class_current="class='highlight'";
	break;
	case "about.php":
		$class_current="class='highlight'";
	break;
	case "contact.php":
		$class_current="class='highlight'";
	break;
	case "services.php":
		$class_current="class='highlight'";
	break;
endswitch;

//if the user is browsing index.php the "home" link will receive the class highlight while the others will not
?>
<ul>
	<li <?php echo $class_current; ?>>Home</li>
	<li <?php echo $class_current; ?>>About</li>
	<li <?php echo $class_current; ?>>Contact</li>
	<li <?php echo $class_current; ?>>Services</li>
</ul>

Follow us on Twitter, or subscribe to our rss feed.