how to protect a php page where there is no form too check against

Question

im trying to finish my site and ensuring that the user cannot see anything that might help them in malicious ways or give them a bad experience on the site.

So for my pages where e.g login.php i check the request method, if its post continue if not then 404 etc.

However i have a couple of pages that gather some information from the database and i include them in the page. Some of them are quite large / complex so i prefer doing this to keep things tidier.

How can i go about redirecting the user to a 404 if they directly access these pages instead of them just being included?

Thanks. Hope you know what i mean! :)

Answer 1

I think that you can use some simple tricks.

where you want to include files, instead of simply

include('db.php')

do:

$including = 'yes';
include('db.php');

and in first lines of db.php:

if (!isset($including)) {
  //show 404
  exit;
}
//db job

so it does it's job if included, and shows a 404 if it is called directly.

Alternatively:

the first trick (and DEFINE) may be safer but if you don't want to change every file that includes the file;

just in db.php:

if (basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME'])) {
  //show 404
  exit;
}
//db job

Answer 2

<?php // top file, eg login.php
define('IN_SCRIPT', true);
include('infopage.php');
?>

<?php // included file, eg infopage.php
if (! defined('IN_SCRIPT')) {
   // log message, throw header, etc.
   // this is a direct access
   exit(0);
}

// do whatever
?>

Alternatively, consider moving your info pages out of the web visible space.