PHP only allow server to access a PHP file

Question

I have three pages:

index.html
getjavascript.php?id=index
index.js

index.html includes the script

'getjavascript.php?id=index'

and getjavascript dynamically gets the script index.js.

Is there any way to prevent external users from directly accessing

getjavascript.php 

using PHP?

index.js is in a hidden location.

Thanks,

Answer 1

I'm assuming that index.html contains an include similar to the snippet below (assumption is that we're doing a client-side pull of this javascript).

<script type="text/JavaScript" src="getjavascript.php?id=index" />

If your intent is to hide secrets within the javascript file, there is no way of stopping a user from retrieving the contents. They can trivially use developer tools to view the contents. Furthermore, because the browser needs to download the file, there's not really a way to distinguish between a user accessing directly versus a browser retrieving this file.

If your intent is to obfuscate the fact that your server is using PHP, you can use mod_rewrite to remove the extension.

Server side includes are a different story and modifications to .htaccess or moving this file outside of your webroot directory would work.

Answer 2

It's possible by using htaccess.

Redirect /getjavascript.php http://example.com/newdirectory/

Answer 3

Now I see two ways to solve your problem

1. Using Apache RewriteRule directive. This way will allow you to hide real URL name in your html file
2. Try to use additional parameter in getjavascript.php that detect that if this url called directly from browser (not from html form or link).

Answer 4

Put the include script outside of the document root. For example, if you have your root in public_html , create a folder outside public_html to put your included files in. That way, your script can read them but random people on the internet can't.