发表新帖
发表新帖

How to know if php script is called via require_once()?

后端 未结
关注
11 809
旧巷少年郎
旧巷少年郎 2021-01-07 02:24

My webapp has a buch of modules. Each module has a \'main\' php script which loads submodules based on a query sent to the main module:

//file: clientes.php
相关标签:
11条回答
  • 日久生厌
    2021-01-07 02:40

    A common technique is to add this to the main module (before the includes)

    define('TEST', true);

    and to add something like that at the first line of every submodule

    if (!defined('TEST')) {
    die('Do not cheat.');
}
    0 讨论(0)
  • 情歌与酒
    2021-01-07 02:42

    For the sake of completeness, the other possibility is to move such files to a directory that's not publicly available. However, some control panels used by hosting providers make this impossible. In such case, if you are using Apache you can place an .htaccess file inside the directory:

    #
# Private directory
#
Order allow,deny
Deny from all
    0 讨论(0)
  • 北恋
    2021-01-07 02:43

    global.php

    if(!defined("in_myscript"))
{
    die("Direct access forbidden.");
}

    module.php

    define("in_myscript", 1);
include("global.php");
    0 讨论(0)
  • 盖世英雄少女心
    2021-01-07 02:44

    An alternative to defining a constant and checking it is to simply put the files that index.php includes outside of the document root area. That way the user can't directly access them via your web server at all. This is also obviously the most secure way, in case your web server has a configuration error in future that eg. displays PHP files as plain text.

    0 讨论(0)
  • 长发绾君心
    2021-01-07 02:54

    One elegant way is putting all your files which should only be accessed via include outside the web directory.

    Say your web directory is /foo/www/, make an include directory /foo/includes and set this in your include_path: 

    $root = '/foo';
$webroot = $root.'/www'; // in case you need it on day
$lib = $root.'/includes';
// this add your library at the end of the current include_path
set_include_path(get_include_path() . PATH_SEPARATOR . $lib);

    Then nobody will be able to access your libraries directly.

    There's a lot of other things you could do (test a global variable is set, use only classes in libraries, etc) but this one is the most secure one. Every file which is not in your DocumentRoot cannot be accessed via an url,. But that does not mean PHP cannot get access to this file (check as well your open_basedir configuration if you have it not empty, to allow your include dir in it).

    The only file you really need in your web directory is what we call the bootstrap (index.php), with a nice rewrite rule or a nice url managment you can limit all your requests on the application to this file, this will be a good starting point for security.

    0 讨论(0)
  • 猫巷女王i
    2021-01-07 02:56

    You can define('SOMETHING', null) in clientes.php and then check if (!defined('SOMETHING')) die; in the modules.

    0 讨论(0)
 看不清?
提交回复
热议问题