MistOnline

PHP scripts

How to prevent direct access to PHP file

Apr 9, 2014
block direct access to php file

Last updated on March 23rd, 2022 at 02:06 pm

Some months ago I have written a code using PHP to prevent direct file access, today I have modified the script since it had some errors. Let us take one file named direct-php.php as an example, all you have to do is just add the below code on header (before any code begins)of all the PHP files that you would like to be prevented from accessing directly by external web sites. This can be done without using complex htaccess directives.

<?php if (!empty($_SERVER['SCRIPT_FILENAME']) && 'direct-php.php' == basename($_SERVER['SCRIPT_FILENAME']))
 die ('Please do not load this page directly. Thanks!');
 else
 {
	 echo "Hello To Web Server";
 }
 ?>

Always remember to change the file name accordingly.I have given the filename I am using in BOLD and CAPS

Demo With Direct Access

Now I am going to call the above script using include function and we can see that it works.

<?php include('direct-php.php');?>

Demo With Include

Keep in mind that sometimes you may have to add this script according to the page you would like to restrict. May be in some use cases you cannot add it in the header but may have to append it within some condition block.

For example I have a simple form (index.html) in which the form action page (process.php) which takes POST request and I don’t want users to hit the page directly using GET. My index.html look like below

<form action="process.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

Form action page process.php 

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
echo "Data Parsed <p>";
echo $_POST['name'];
echo "<hr>";
echo $_POST['email'];
}
else
{
if (!empty($_SERVER['SCRIPT_FILENAME']) && 'welcome.php' == basename($_SERVER['SCRIPT_FILENAME']))
 die ('Please do not load this page directly. Thanks!');
}?>

As you can see above I am using $_SERVER[‘REQUEST_METHOD’] to make sure that it is a POST request otherwise if people directly access the file using GET request it throws the message.

Much better approach for process.php 

<?php
if (!empty($_SERVER['SCRIPT_FILENAME']) && 'welcome.php' == basename($_SERVER['SCRIPT_FILENAME']) || $_SERVER['REQUEST_METHOD'] != 'POST')
 die ('<center><b><img width=200px src="https://mistonline.in/wp/wp-content/uploads/restricted_mistonline.png"><br>Please do not load this page directly. Thanks!');
echo "Data Parsed <p>";
echo $_POST['name'];
echo "<hr>";
echo $_POST['email'];
?>

Demo using a simple form

Hit Index.html and submit something, this display process.php output without any issues.

Hit process.php directly and see what happens.

Note: In the example above as you know we can also just add an echo statement inside the else block and doesn’t really have to add the restrict access script logic there. All I wanted to show you here was that this script can be implemented anywhere according to your requirement.

Related Tutorials:

Related Post

PHP

How to get web page title and meta tags using PHP

admin May 27, 2016
PHP scripts

How to Create Image thumbnail using PHP

admin May 23, 2016
PHP

Watermark images using PHP and GD Library

admin May 20, 2016
One thought on “How to prevent direct access to PHP file”

Leave a Reply

Your email address will not be published. Required fields are marked *