PHP only allow server to access a PHP file

Question

I have three pages:

index.html
getjavascript.php?id=index
index.js

index.html includes the script

'getjavascript.php?id=index'

and getjavascript dynamically gets the script index.js.

Is there any way to prevent external users from directly accessing

getjavascript.php

using PHP?

index.js is in a hidden location.

Thanks,

You should really clarify how each file is being "included" because it sounds like index.html has no SSI or anything thus there is no way to do what you want - but you should clarify your scenario more. — Eli Sand
– Eli Sand, Commented Apr 21, 2012 at 5:09
You hide a file only to have its contents exposed by another file? — Salman Arshad
– Salman Arshad, Commented Apr 21, 2012 at 6:06

David Z. · Accepted Answer · 2012-04-21 05:03:06Z

2

I'm assuming that index.html contains an include similar to the snippet below (assumption is that we're doing a client-side pull of this javascript).

<script type="text/JavaScript" src="getjavascript.php?id=index" />

If your intent is to hide secrets within the javascript file, there is no way of stopping a user from retrieving the contents. They can trivially use developer tools to view the contents. Furthermore, because the browser needs to download the file, there's not really a way to distinguish between a user accessing directly versus a browser retrieving this file.

If your intent is to obfuscate the fact that your server is using PHP, you can use mod_rewrite to remove the extension.

Server side includes are a different story and modifications to .htaccess or moving this file outside of your webroot directory would work.

edited Apr 21, 2012 at 5:03

answered Apr 21, 2012 at 4:50

David Z.

5,7012 gold badges22 silver badges13 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

user1310420 Over a year ago

Hi, i'm more trying to hide the source of the index.js. What i was thinking was a if($_SERVER[webpage] == 'getjavascript.php'){ exit(); }else{ echo $file; } ?>

Senthil Prabu · Accepted Answer · 2012-04-21 04:45:57Z

0

It's possible by using htaccess.

Redirect /getjavascript.php http://example.com/newdirectory/

answered Apr 21, 2012 at 4:45

Senthil Prabu

16

1 Comment

David Z. Over a year ago

This won't work since the browser needs to make requests to getjavascript.php?id=index and will fail.

Valeriy Gorbatikov · Accepted Answer · 2012-04-21 04:47:56Z

0

Now I see two ways to solve your problem

Using Apache RewriteRule directive. This way will allow you to hide real URL name in your html file
Try to use additional parameter in getjavascript.php that detect that if this url called directly from browser (not from html form or link).

answered Apr 21, 2012 at 4:47

Valeriy Gorbatikov

3,5291 gold badge17 silver badges9 bronze badges

Comments

Niet the Dark Absol · Accepted Answer · 2012-04-21 04:48:47Z

-1

Put the include script outside of the document root. For example, if you have your root in public_html, create a folder outside public_html to put your included files in. That way, your script can read them but random people on the internet can't.

answered Apr 21, 2012 at 4:48

Niet the Dark Absol

326k86 gold badges480 silver badges604 bronze badges

Collectives™ on Stack Overflow

PHP only allow server to access a PHP file

4 Answers 4

1 Comment

1 Comment

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

1 Comment

1 Comment

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related