im trying to finish my site and ensuring that the user cannot see anything that might help them in malicious ways or give them a bad experience on the site.
So for my pages where e.g login.php i check the request method, if its post continue if not then 404 etc.
However i have a couple of pages that gather some information from the database and i include them in the page. Some of them are quite large / complex so i prefer doing this to keep things tidier.
How can i go about redirecting the user to a 404 if they directly access these pages instead of them just being included?
Thanks. Hope you know what i mean! :)
I think that you can use some simple tricks.
where you want to include files, instead of simply
include('db.php')
do:
$including = 'yes';
include('db.php');
and in first lines of db.php:
if (!isset($including)) {
//show 404
exit;
}
//db job
so it does it's job if included, and shows a 404 if it is called directly.
Alternatively:
the first trick (and DEFINE) may be safer but if you don't want to change every file that includes the file;
just in db.php:
if (basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME'])) {
//show 404
exit;
}
//db job
<?php // top file, eg login.php
define('IN_SCRIPT', true);
include('infopage.php');
?>
<?php // included file, eg infopage.php
if (! defined('IN_SCRIPT')) {
// log message, throw header, etc.
// this is a direct access
exit(0);
}
// do whatever
?>
Alternatively, consider moving your info pages out of the web visible space.