-3

I know there are tons of ways to block direct access (browsering) a PHP file, namely:

  • Configure the server to refuse them
  • Check for variables or constants have been set
  • Check if the file is calling itself (using basename and $_SERVER['PHP_SELF'])

However, I am working on a live search. Everytime the user press a key, it will send the keyword to a PHP file through AJAX. Using the following ways can block access to an included file, but also block the access from the JavaScript file.

Moreover, the PHP file I said above also include another PHP file, so I think passing a variable and check for that is impossible since you are defining a variable and checking for it at the same file.

Does anybody have any ideas? Any help is appreciated!

Martijn Pieters
  • 889,049
  • 245
  • 3,507
  • 2,997
WebDeg Brian
  • 692
  • 1
  • 5
  • 19
  • 3
    You want people to use the files but at the same time block people from using the files? I'm not sure I understand the question here – apokryfos Dec 28 '17 at 14:10
  • Anything the browser can access, the end user can access. I also don't entirely understand the question; what I assume you're asking is essentially impossible – Matt Fletcher Dec 28 '17 at 14:10
  • @apokryfos, I mean I want to block the php from browsering, but let the Javascript files to access it – WebDeg Brian Dec 28 '17 at 14:10
  • @apokryfos since if you use .htaccess methods or other .php methods to block access to the php file, Javascript (AJAX) cannot access the file – WebDeg Brian Dec 28 '17 at 14:13
  • So basically you mean only allow access to the file if the request is an AJAX request? There's nothing special about an AJAX request other than the fact that it's being sent from JavaScript code so if you allow AJAX requests your're essentially allowing all requests. – apokryfos Dec 28 '17 at 14:13
  • @apokryfos I am think about something like this: `deny from all` and `allow from .js` – WebDeg Brian Dec 28 '17 at 14:17
  • 1
    You can [do this](https://stackoverflow.com/questions/18260537/how-to-check-if-the-request-is-an-ajax-request-with-php) but it's not foolproof. – Alex Howansky Dec 28 '17 at 14:41
  • @AlexHowansky, thanks, let me have a look – WebDeg Brian Dec 28 '17 at 14:42
  • May I ask why you wish to prevent people from directly visiting the PHP file(s) using their web browser? What issue are you experiencing or trying to overcome? – MonkeyZeus Dec 28 '17 at 14:44
  • @MonkeyZeus, some of these files are included at the header and the footer, so it may have a bad impression on users when they eventually get in. They will only see plain HTML which is very bad. Also some are processed 'behind the stage', so sometimes it will be insecure. – WebDeg Brian Dec 28 '17 at 14:48
  • If a user somehow figures out how to browse these files then chances are great that they are not an average user and intentionally wants to poke around and try to break stuff. Your second statement scares me because this means that your system relies on "security through obscurity" and is probably unstable. – MonkeyZeus Dec 28 '17 at 14:52
  • @MonkeyZeus, 'processed' here means when the users eventually get in, they will, somehow the folder structures and other stuffs, hence the system is no longer secure – WebDeg Brian Dec 28 '17 at 14:58
  • @MonkeyZeus and also, before these users try to figure it out, we should protect it now – WebDeg Brian Dec 28 '17 at 15:11
  • 2
    @WebDegBrian An AJAX request is almost indistinguishable from any other request which a browser makes to your server. All of the "solutions" to your current situation are trivial to circumvent such as [this padlock](https://media1.giphy.com/media/Skx32VOazLRMk/giphy.gif). You need to properly implement security within your PHP files and differentiate stuff that should be publicly accessible versus things which should be used via include only and should probably be located below the content root of your site. – MonkeyZeus Dec 28 '17 at 15:26
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/162107/discussion-between-webdeg-brian-and-monkeyzeus). – WebDeg Brian Dec 28 '17 at 15:34

1 Answers1

-1

I finally find the answer. It still use the one of the following way as I said above, but need to add condition to the search file.
In common included files:

if (basename(__FILE__) == basename($_SERVER['PHP_SELF'])) {
    header("Location: http://example.com/404");
    exit();
} //Check if the file is calling itself

And in the search file:

if (basename(__FILE__) == basename($_SERVER['PHP_SELF']) && !isset($_POST['query'])) {
    header("Location: http://example.com/404");
    exit();
} //Check if the file is calling itself and there is no request found
WebDeg Brian
  • 692
  • 1
  • 5
  • 19