I.T. Security and Linux Administration

Oct 2 2011   11:33PM GMT

[PHP] Page Authentication

Eric Hansen Eric Hansen Profile: Eric Hansen

Ever wondered how you can make sure people don’t view a page they’re not supposed to (i.e.: restrict them from accessing certain files in /var/www/domain.com/topsecretdocs/files_list.php)? Well, most people come up with the idea of putting a define() in the page that calls the file in question (in this case, files_list.php), and then do a simple if(!defined(…)){ die(“HACKER”); } kind of thing, similar to what phpBB does with its files. But, there is a simplier way of handling this particular situation.

Now, I’m not sure this will work on Ajax (I know the define() trick doesn’t), so I can’t vouche for that.  But if you basically call a require/include() in a PHP file, this will work.  What you do first is create a simple PHP file; in this example, I’ll call it tricks.php, and put the following in there:


<?php

function legit(){

return true;

}

?>

You really don’t even need anything inside of the function, but I do just for convience sake.  Now, what you do after this is, at the top of every page that you want to protect from prowling eyes, add these lines:


<?php

@require_once('tricks.php');

if(!function_exists('legit')){

// redirect or otherwise refuse access

}

?>

What this does is about the same thing as the define() feature, but has a lower tendancy to break.  With define(), its easy to make a mistake when you’re coding at 3 A.M. on some big project, because if what you named in define() also becomes a variable in that file, it’ll return true and the user will be able to access your file as they please.  But, if you do a function check, PHP treats functions and variables differently, and defined() won’t check for functions.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: