3 replies to this topic

[Demodog]

Is it possible to prevent users running a php file directly, only allowing it from an AJAX call, from a page that is run on the same server?

I know that the php include command can link to "../incfiles/hello.php" a page that is above www folder and therefore cannot be run directly. but I cant make an ajax call that way so I wonder if I can set some persmissions that only lets the php file be run when it is requested from another page on server.

[webcodez]

As for including PHP files and only allowing them to be ran upon including them inside your process pages, I usually use defined constant ( checking them ) and only running the script if the constant is defined, like:

inc.php

if(IS_MAIN_PROCESS) {
// run the php code
}

and inside main script for example:

DEFINE("IS_MAIN_PROCESS", 1);
require_once('inc.php');

However when using AJAX it has to be done either using $_SERVER vars I suppose or using GET variables: what I usually do is just make a security key that should be given through url and the php script only runs upon giving the correct key ( through AJAX for example ), like:

inc.php

<?php
$security_key = "your long security key";
if($_GET['k'] == $security_key) { 
// run script
}
?>

Now, to run this code it should be accessed like this: inc.php?k=your long security key.

So no need to set permissions =].

[Demodog]

yeah well the only problem is that anyone can get that security code by simply checking the source of your javascript?

[John]

The answer to your original question is no.