Storing Scripts Securely

Question

I have a website that serves two parties, buyer and sellers. So once i have authenicated the type of user i load the respective module. See logic below:

 If $loggedinusertype = Buyer;

 include(/buyer_module.php);

 else 

  include(/seller_module.php);

Now the way i store these modules is just the way i would store a contact.php file. These modules can be accessed if i go to domain.com/seller_module.php. Now, i want to know how to store these modules in such a way that nobody could access it directly and can only be used in the include component. I have 200 of these modules....

Answer 1

You could store them in an area outside of your normal web directory.

Say your web directory is /home/yoursite/www

You could put your include files in /home/yoursite/some-other-directory and no one would be able to access them from your site directly.

Answer 2

I have two suggestions on how you could do this.

1. Just store all of the modules outside of the web root so there is no way they can be accessed from the browser.

2. If the above is not feasible, define a constant in your main application or in the script that includes the individual modules. In the individual modules, check to see if the constant has been defined. If it has not, then you can assume someone is trying to access it in the browser, if it is, then the file was included by your script.

Example of 2:

index.php

<?php
define('SOME_CONSTANT', 1);
// ...
include 'buyer_module.php';

buyer_module.php and all other modules you don't want called directly

<?php

if (!defined('SOME_CONSTANT')) exit;