如何防止直接访问文件夹中的文件？

Question

A have a webpage with separated "subdir" with this structure:

• mywebpage
  • /subdir/system/ - here are php forms files,
• index.php

The index.php calls file1.php in /system. Then other files in /system are called by "submits". I can't write correct .htaccess to prevent calling these /system/ directly by their URLs.

I have googled and tried various .htaccess contents. But mostly either the "subdir" wasn't accessible at all (even not from index.php ) or the "webpage" access returned "404" .

Normally a user shall open the index.php and decide what he wants to do. Depending on this, he is redirected to respective /system/ .php. Any other try / eg adding https://mywebpage/subdir/system/ anyfile . shall redirect him back to index.php or any other "Error page".

Answer 1

The typical way is to define a global constant in the entry point (like index.php) a file that is ran before anything else, then check in each file if that constant is defined

 define('SOME_CONST', true);

Then at the top of each file

if(!defined('SOME_CONST')) die ("No direct access");

Therefor accessing the file without first loading the file that defines the constant results in termination of PHP.

This "constant" can be anything, typically I use a base path that is relative to the index.php file etc....

    define('MY_BASE_PATH', __DIR__.'/');

And so on...

A few things to keep in mind

I should mention you should not define it in a file and include it in your other files, it wont work that way.

   //DO NOT DO THIS as IT wont WORK!!!!! - technically it never fails
  //--- in the file somefile.php ---

  //required file defines SOME_CONST
  require 'index.php'; 
  //define('SOME_CONST', true); -- defined in index.php, think of it like copy and pasting that files code at this spot.

  //will never fail, because it's defined by the file included/required above
  if(!defined('SOME_CONST')) die ("No direct access"); 

It's like putting this in your code and expecting it to fail (obviously, here it will never fail):

  //dont do this either
  define('SOME_CONST', true);
  if(!defined('SOME_CONST')) die ("No direct access"); 

Instead do it this way:

So you have to include the files from that entry point, and use something like a router etc... basic MVC. Do this instead (vastly simplified)

 // --- in index.php ---
define('SOME_CONST', true);

require 'somepage.php';
//if(!defined('SOME_CONST')) die ("No direct access"); included in the above require

And then

//--- in somefile.php ---
if(!defined('SOME_CONST')) die ("No direct access"); //will fail if index.php is not loaded.

So if someone goes to just that somefile.php the constant is not defined. Because the index.php was not executed "BEFORE" this file.... UNLIKE if you include the index.php (in somefile.php ) before the check. You Obviously cannot include it ( index.php ) after the check. So it must be ran before somefile.php and NOT when ONLY somefile.php is loaded. Which is why you can't include index.php in somefile.php but instead must include somefile.php in index.php .

Also obviously you will need more then just one page somefile.php . So in index you will need a way to direct the request to the proper page. This is called routing. And is a whole other topic...

I tried to keep it as basic as possible. It's really quite simple.

Enjoy.