A
Anonymous
Guest
heh, hi again. been a while - love the new forum btw! 
.
anyhoo, sucking-up over, i have just enough time left to post this and hope someone has a better idea than me: my sites all use a kind of template page, with included scripts populating its content (ie. main.php?page=home or whatever), but as a slight security increase i'm now wanting to start adding a simple check to the top of these scripts, so if the file was directly linked to (ie. home.php), instead of being linked to via an include function, then die() is used creating the illusion of a file that doesn't really exist.
problem is, i can only think of two possible ways of doing this, and neither are secure.
1) check the refering url. problem with this however, is a refering url can be spoofed by a 5 year old, thus exploiting whatever script i write.
2) check the value of a variable populated from the page containing the include function. problem here is a user can simply populate that variable in the url, again exploiting my script (ie. home.php?include_used=true). yea, ok, so the chances of a user knowing that variable exists, and what exactly to populate it with are slim, but the possibility still exists.
basically put, the above methods are crap. what i'm hoping for is a built in function to return the state of how the file was included. since php is interpreted in realtime, surely it has a method of returning exactly what its just done? thus knowing include was used???
failing this, a connection state would be the next best thing, as a mysql database connection is made on the initial page, thus a quick check of whether or not this connection is present should be enough to prove the file was included from at least a page making sucha connection. unfortunately the only method i know of checking this is to check the variable used for that connection, which again goes back to the variable exploit above... i really would prefer a more secure method.
any ideas?
ty.
.anyhoo, sucking-up over, i have just enough time left to post this and hope someone has a better idea than me: my sites all use a kind of template page, with included scripts populating its content (ie. main.php?page=home or whatever), but as a slight security increase i'm now wanting to start adding a simple check to the top of these scripts, so if the file was directly linked to (ie. home.php), instead of being linked to via an include function, then die() is used creating the illusion of a file that doesn't really exist.
problem is, i can only think of two possible ways of doing this, and neither are secure.
1) check the refering url. problem with this however, is a refering url can be spoofed by a 5 year old, thus exploiting whatever script i write.
2) check the value of a variable populated from the page containing the include function. problem here is a user can simply populate that variable in the url, again exploiting my script (ie. home.php?include_used=true). yea, ok, so the chances of a user knowing that variable exists, and what exactly to populate it with are slim, but the possibility still exists.
basically put, the above methods are crap. what i'm hoping for is a built in function to return the state of how the file was included. since php is interpreted in realtime, surely it has a method of returning exactly what its just done? thus knowing include was used???
failing this, a connection state would be the next best thing, as a mysql database connection is made on the initial page, thus a quick check of whether or not this connection is present should be enough to prove the file was included from at least a page making sucha connection. unfortunately the only method i know of checking this is to check the variable used for that connection, which again goes back to the variable exploit above... i really would prefer a more secure method.
any ideas?
ty.