My php website have multiple php files , some of them are for user interface and some of them are helper files(the files, which communicates through database and each other to return a result). Now I need that user can't execute the helper files from their direct url's.
我的php网站有多个php文件,有些用于用户界面,有些是帮助文件(这些文件通过数据库相互通信以返回结果)。现在我需要用户不能从他们的直接url执行帮助文件。
e.g. mydomain.com/login.php ---------- (Interface file, must be accessible to user)
mydomain.com/login_handle.php ----(Healper file, must not be accessible to user)
So I need is user can execute and browse mydomain.com/login.php but must ot be able to execute mydomain.com/login_handle.php, while login.php and handle_login.php keep communicate and can access each other. Thanks,
因此,我需要用户可以执行和浏览mydomain.com/login.php,但不能在登录时执行mydomain.com/login_handle.php。php和handle_login。php保持通信,可以相互访问。谢谢,
Edit: Sorry but I'm using shared hosting and there is no folder other than public_html.
编辑:对不起,我使用的是共享主机,除了public_html之外没有文件夹。
2 个解决方案
#1
4
The first things I would attempt:
我要尝试的第一件事是:
-
Move the included files outside of the document root
将包含的文件移动到文档根之外
-
Move the included files inside another folder and protect it using
.htaccess
. Alternatively, rename your include files to end with.inc
and create a rule based on that.将包含的文件移动到另一个文件夹中,并使用.htaccess保护它。或者,将包含文件重命名为.inc,并基于此创建一个规则。
-
Make sure the included files don't output anything; this is not really secure, but if your file only contains functions, class definitions, etc. without producing any output, it would just show an empty page.
确保所包含的文件不输出任何内容;这并不真正安全,但如果您的文件只包含函数、类定义等,而不产生任何输出,则只显示一个空白页。
The hackish approach for this can be accomplished by using constants:
可以通过使用常量来实现这种陈腐的方法:
index.php
index . php
<?php
define('MY_CONSTANT', '123');
include('helper.php');
helper.php
helper.php
<?php
if (!defined('MY_CONSTANT')) { exit; }
// we were called from another file
// proceed
Edit
编辑
The number 2 approach from above can be done by:
上述第二种方法可通过:
-
Create a folder underneath
public_html
, e.g.includes/
在public_html下面创建一个文件夹,例如include /
-
Move all the files that should be included only into this folder
将应该只包含在此文件夹中的所有文件移动到此文件夹中
-
Add the following
.htaccess
inside:在内部添加以下.htaccess:
<FilesMatch "\.php$"> Order allow, deny Deny from all </FilesMatch>
#2
1
Try to use .htaccess.
尝试使用. htaccess。
Instead of 127.0.0.1 this ip, you need to put your server ip address.
您需要放置服务器ip地址,而不是127.0.0.1这个ip。
<Files login_handle.php>
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>
#1
4
The first things I would attempt:
我要尝试的第一件事是:
-
Move the included files outside of the document root
将包含的文件移动到文档根之外
-
Move the included files inside another folder and protect it using
.htaccess
. Alternatively, rename your include files to end with.inc
and create a rule based on that.将包含的文件移动到另一个文件夹中,并使用.htaccess保护它。或者,将包含文件重命名为.inc,并基于此创建一个规则。
-
Make sure the included files don't output anything; this is not really secure, but if your file only contains functions, class definitions, etc. without producing any output, it would just show an empty page.
确保所包含的文件不输出任何内容;这并不真正安全,但如果您的文件只包含函数、类定义等,而不产生任何输出,则只显示一个空白页。
The hackish approach for this can be accomplished by using constants:
可以通过使用常量来实现这种陈腐的方法:
index.php
index . php
<?php
define('MY_CONSTANT', '123');
include('helper.php');
helper.php
helper.php
<?php
if (!defined('MY_CONSTANT')) { exit; }
// we were called from another file
// proceed
Edit
编辑
The number 2 approach from above can be done by:
上述第二种方法可通过:
-
Create a folder underneath
public_html
, e.g.includes/
在public_html下面创建一个文件夹,例如include /
-
Move all the files that should be included only into this folder
将应该只包含在此文件夹中的所有文件移动到此文件夹中
-
Add the following
.htaccess
inside:在内部添加以下.htaccess:
<FilesMatch "\.php$"> Order allow, deny Deny from all </FilesMatch>
#2
1
Try to use .htaccess.
尝试使用. htaccess。
Instead of 127.0.0.1 this ip, you need to put your server ip address.
您需要放置服务器ip地址,而不是127.0.0.1这个ip。
<Files login_handle.php>
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>