防止直接 url 访问 php 文件

Question

I have a php file say "check.php" in my website and it is executed when a form is submitted.

say my website is "myweb.com" and the php file is in a directory "PHP"

I want to prevent direct url access to the "check.php" file ie if anyone types the url " myweb.com/PHP/check.php " ,then the php file should not be executed and it should return a error message instead.

I tried to prevent the access by setting a rule in .htaccess ,but it blocks the php even when I try to submit the form.

.htaccess rule :

RewriteEngine on 
RewriteCond %{THE_REQUEST} \.php[\ /?].*HTTP/ 
(.*)\.php$ /index.html [L] 

Is there any possible way to do it ?

Answer 1

You can do it with PHP

<?php
    /* at the top of 'check.php' */
    if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
        /* 
           Up to you which header to send, some prefer 404 even if 
           the files does exist for security
        */
        header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );

        /* choose the appropriate page to redirect users */
        die( header( 'location: /error.php' ) );

    }
?>

Answer 2

Put this code at the top of check.php:

if(!isset($_SERVER['HTTP_REFERER'])){
    // redirect them to your desired location
    header('location:../index.php');
    exit;
}

If the user access check.php by type the URL directly, it will redirect them to your desired location.

Answer 3

Try this in Root/.htaccess :

RewriteEngine on


RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule ^php/check.php$ - [NC,R=404,L]

This will return 404 not found if check.php is not accessed by form post method.

Answer 4

I tried the selected answer but i ran into some issues implementing it, specially if i wanted to return values from functions inside the PHP file using GET with Ajax.

After doing quite an extensive research on other solutions (and a little testing of my own), i came up with the following code:

<?php
$currentPage = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

if ($_SERVER['REQUEST_METHOD'] == "GET" && strcmp(basename($currentPage), basename(__FILE__)) == 0)
{
    http_response_code(404);
    include('myCustom404.php'); // provide your own 404 error page
    die(); /* remove this if you want to execute the rest of
              the code inside the file before redirecting. */
}
?>

I found that the code above worked as i wanted and i don't think it would have any problems with multiple browser like the other answer was pointed out to have. I also don't think it would have any security issues, but i could be wrong (please tell me if i am (and why)), i'm relatively new to web programming.

Just add that code on top of every file you would want to block direct URL access (before everything, even requires, includes and session_starts) and you are good to go.

Answer 5

this is what google uses in their php examples

if (php_sapi_name() != 'cli') {
  throw new \Exception('This application must be run on the command line.');
}

Answer 6

Try this one too. Past in the top of check.php

<?php debug_backtrace() || die ("<h2>Access Denied!</h2> This file is protected and not available to public."); ?>

An Access Denied will be presented when the file is access directly in the url

Answer 7

if (basename($_SERVER['SCRIPT_FILENAME']) === 'common.php')
{
    exit('This page may not be called directly!');
}

Answer 8

Lot of answers to this question but I did something like this.

<?php
    $page = basename($_SERVER['PHP_SELF']);
    
    if($page == "somefile.php"){
      header('Location: index.php');
    }
 ?>