开发者

How to block to call function pages' outside required pages in PHP

I have a simple config page in my root directory. It's similar wp-config.php which in wordpress system. It's name is config.php (or anything). There are some mysql logins or general page functions in my files(functions.php).

When user calls my index page, it loads config.php(or other function pages). But i want to keep them from external calls: i want to block or redirect user when they entered mydomain.com/config.php.

1. Is there any way to do this?

2. If is/isn't, do开发者_开发问答es it matter for security? I don't know about security but it bothers me when i think.


As suggested in the comments - you can restrict access to those files using .htaccess or a simple check for a pre-defined variable. What would be the best thing to do though is to put those files in a path that is not readable from the httpd and include them from there.

Your webroot directory (where index.php is located) is most likely something like /var/www/your_site_dir/htdocs. Put them in the parent directory (/var/www/your_site_dir) and no other restriction would be required.

As for if it affects security ... well, that depends on how your code is written, but you should always restrict access to those, just in case. No system is 100% secure and none can be considered secure if there's even a conditional possibility of somebody having access to a resource that shouldn't be available to them.


First, do not put executable code in the files you are including. In this way, even if they are called directly, nothing will happen, because they define classes / functions but do not execute them.

Next, if you can't protect them the way @Narf suggests, you can begin all your files with:

<?php
  if (!defined('IN_APP')) {
    exit();
  }

And in you application add define('IN_APP', true)

In this way if your file is called directly, it will just exit.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜