Block access to php files

by krike in PHP & MYSQL / Tutorials on 10 Jan 2010


When you are making a script and you have some files that only need to run in the background or only contain a part of your code (eg: in wordpress the comment.php file) then you would like to block direct access to those files.

I used to use this code

if(empty($pageURL))
{
	$pageURL = 'http';
	if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')
	{
		$pageURL .= 's';
	}
	$pageURL .= '://';
	if($_SERVER['SERVER_PORT'] != '80')
	{
		$pageURL .= $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$_SERVER['REQUEST_URI'];
	}
	else 
	{
		$pageURL .= $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
	}
}

It will catch the current url I’m browsing and I could use this to block access to the file, but that’s before I found that there was a much easier way to do this using the $_SERVER[‘script_filename’] global variabel.

The code you should be using

Create a new php file and add the following code

<?php
echo $_SERVER['SCRIPT_FILENAME'];
?>

If you would preview this in your browser you should have something similar to this

Now we actually only want the filename, we will use the basename(); function to this for us

<?php
echo basename($_SERVER['SCRIPT_FILENAME']);
?>

You should have the following in your browser

Now you can use this in an if-statement to check if the user is browsing this file directly, and if he is then block the access to the page

<?php
//if the current file the user is browsing for is the file block.php then block the access
if(basename($_SERVER['SCRIPT_FILENAME']) == "block.php"):
	echo "Sorry but you cannot browse this file directly!";
	exit;//this will make sure the browser stops here and won't go any further
endif;
?>

<p>If you are browsing this file directly you will not see this text, but if you are including
 this file in another file using the include(); function you should see this text.</p>

You should see the error message and not the code below the if-statement

Conclusion

You have now learned how to block access to certain php files, you might want to do this for php files that only contain a part of the code (ie: partial comment template) otherwise fattal errors might be visible to the users and of course hackers would take advantage of this to attack your website. So if you are certain a certain php file should not be browsed directly the best thing to do is use the script above to block the access.

Of course if you are familiar with WordPress you might have seen a similar code in the comments.php

But you can also use $_SERVER[‘SCRIPT_FILENAME’]; to check the current page you are browsing and in so doing highlight the link in the navigation. So the user browsing your site knows on which page he is without looking at the url.

the code could look like this:

<?php
//initiate class_current variable
$class_current="";

//store current url in a variable
$current_page = basename($_SERVER['SCRIPT_FILENAME']);

//check which page the user is browsing
switch($current_page):
	case "index.php":
		$class_current="class='highlight'";
	break;
	case "about.php":
		$class_current="class='highlight'";
	break;
	case "contact.php":
		$class_current="class='highlight'";
	break;
	case "services.php":
		$class_current="class='highlight'";
	break;
endswitch;

//if the user is browsing index.php the "home" link will receive the class highlight while the others will not
?>
<ul>
	<li <?php echo $class_current; ?>>Home</li>
	<li <?php echo $class_current; ?>>About</li>
	<li <?php echo $class_current; ?>>Contact</li>
	<li <?php echo $class_current; ?>>Services</li>
</ul>

Written by krike

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sit amet nisl nisl. Ut interdum libero vitae quam ultricies et lacinia elit aliquet. Praesent tincidunt, sem tempus feugiat feugiat, turpis tellus scelerisque erat, sit amet feugiat neque arcu ac lectus. Sed at mi et elit interdum scelerisque vitae eu felis.

krike has written 77 posts.

  • ping?

    Sorry, this is a very convoluted solution to a problem that can be solved simply by using an .htaccess file.

  • thank you krike for this trick .

    • @nassim rehali: you are welcome

  • sayantan bagchi

    hi,
    your material is good. thank you for sharing.

    I am looking for a same kind of solution. I have a database and there is 3 types of users for that database. administrator, employee and viewer. now if i log in with a viewer id and password. i am able to move around to any page directly typing the web page name in the address bar. what i am looking for is a viewer cant see all the pages except for the page that they have links. i want check the authentication if some one wants to navigate to other page by directly typing the page name in address bar.how can i do it in php? also is there any possibilities of passing the username to every page?

    • @sayantan: this is something very different. You could create a function to see if the user has the permission to view the page or not. This is best done using a group system. You could add an extra field in the user table to determine the user access (1 for admins, 2 for editors, 3 for viewers).

      To have access to the username, when the user logins you store it in a session eg: $_SESSION['username'] = $username;

      that is just a simple example and if I’m not mistaken it is better to use the session id of the user and store that in a temporary table along with the user id.

      This is a good idea for a tutorial.