What's the best way to only allow a PHP file to be included?

Question

I want to make sure people can\'t type the name of a PHP script in the URL and run it. What\'s the best way of doing this?

I could set a variable in the file that wi

Answer 1

In a few of the open source applications I've poked around in, including Joomla and PHPBB, they declare a constant in the main includes file, and then verify that constant exists in each of the includes:

// index.php
require_once 'includes.php';

// includes.php
define('IN_MY_PROJECT', true);
include 'myInc.php';

// myInc.php
defined('IN_MY_PROJECT') || die("No direct access, plsktnxbai");

Answer 2

From a PHP Nuke module:

<?php
if (!eregi("modules.php", $PHP_SELF)) {
   die ("You can't access this file directly...");
}
// more code ...
?>

Replace modules.php with your file name, and that file cannot be called directly.

Answer 3

The Zend Framework recommends you keep the files outside the web root, as Unkwntech has suggested. I'd say this is the safest and most fool proof solution.

Answer 4

You could check the URI and see if that file is being called with `

$_SERVER['SCRIPT_FILENAME']

or you could move the file outside the public folder, this is a better solution.

Answer 5

One way I've seen a lot is to create a variable that has to be present in every included file and check first thing in every include:

if(!isset($in_prog)){
exit;
}

Answer 6

I guess the best way is to put files you want to include inside "/include" folder and put access right 700 to the folder