Prevent users from directly accessing results.php in this E.g. root (contains)-> “index.php” (includes)-> “results.php”

Question

I want to make it impossible for users to access a certain scripts running on my server.

The best way i can explain this is by explaining a brief description of how the root level of the website works.

ROOT contains 4 scripts:

index.php home.php error.php results.php

In the index file, i have included and directed the user to these 3 files, on certain instances.

Now, this causes a bit of a problem, as the index file includes the neccessary controllers and any addittional scripts before the new script is included and the users' point of view changes to the new "webpage". I have done this as it provides a very quick experiance for the user, as in the the page load times have become very low.

Now these files have been set with the robots no index meta, and are removed from the sitemap. I want to go one step further, and make it impossible for users to access these scripts direcly, as in by typing http://www.mysite.com/results.php

This is because if they do they are greeted with an ugly, unfuctional page that has not had the layout variables, or main css stylesheet defined.

Here is a brief outline of index.php:

<?php
ob_start();

$activeHome = 'active';

require_once $_SERVER['DOCUMENT_ROOT'] . '/../../includes/config.php';
require_once($docRoot . '/includes/layout.php');

...

include 'home.php';
?>

This script includes any code that configures the 3 other scripts. as in

if (isset($_GET['register']))
{
header('Location: http://www.mysite.com/register/');
exit();
}

And here is the same for home/results/error.php

<?php

....

echo $head1 . $pageDetails . $head2 . $header .  $pageContent . $footer;
exit;
?>

In these scripts all of the varibles except for pageDetails and pageContent are defined in the layout script, along with the main css file.

So as you can see by the setup of this website, i do not have very many options left, unless to restrict these pages by a php function which i presume would be fairly complex and more than likely over my head... I assume it would involve heavy use of global or session variables, which is not something i am all to keen about. An easier way, i thought, would be to do this via the htaccess file. But i am not all that knowlegable when it comes to htaccess commands, and i am not so sure if this is even possible going that route.

Would anyone with a bit more knowledge on something like this, like to offer their opinion or any input or advice?

Answer 1

You have two choices.

1. Move the files outside of the web root - This logically makes more sense. If the files aren't meant to be accessed by the web server they should be outside of the web root. This would be the preferred method as long as you (and the web server's user and group) have access to the directory that contains your php scripts. It is also more preferable because you don't need Apache specific (or even mod_rewrite specific) .htaccess rules so this will be portable to most other server flavors. A sample directory structure might looks like this:

/
    /www
        /index.php
    /includes
        /home.php
        /error.php
        /results.php

Just make sure that your webserver's user has access to www and includes and your webserver configuration allows you to work outside of your web root (most apache configurations only allow you to work within it).

2. Add htaccess rules to prevent those from being accessed - This is less preferable. If you want to be stubborn or you have a legitimate reason for keeping the files in your web root, this would be the way to do it on Apache.

RewriteEngine On
RewriteRule ^(home.php|error.php|results.php)$ - [L]

---

To prevent users from accessing /register/register.php:

RewriteEngine On
RewriteRule ^register/register.php$ - [L]

Answer 2

如果文件只能从另一个脚本访问，而不是直接通过HTTP访问，则不要将其保留在HTTP服务器的根目录下。