include state



heh, hi again. been a while - love the new forum btw! :).

anyhoo, sucking-up over, i have just enough time left to post this and hope someone has a better idea than me: my sites all use a kind of template page, with included scripts populating its content (ie. main.php?page=home or whatever), but as a slight security increase i'm now wanting to start adding a simple check to the top of these scripts, so if the file was directly linked to (ie. home.php), instead of being linked to via an include function, then die() is used creating the illusion of a file that doesn't really exist.

problem is, i can only think of two possible ways of doing this, and neither are secure.

1) check the refering url. problem with this however, is a refering url can be spoofed by a 5 year old, thus exploiting whatever script i write.
2) check the value of a variable populated from the page containing the include function. problem here is a user can simply populate that variable in the url, again exploiting my script (ie. home.php?include_used=true). yea, ok, so the chances of a user knowing that variable exists, and what exactly to populate it with are slim, but the possibility still exists.

basically put, the above methods are crap. what i'm hoping for is a built in function to return the state of how the file was included. since php is interpreted in realtime, surely it has a method of returning exactly what its just done? thus knowing include was used???

failing this, a connection state would be the next best thing, as a mysql database connection is made on the initial page, thus a quick check of whether or not this connection is present should be enough to prove the file was included from at least a page making sucha connection. unfortunately the only method i know of checking this is to check the variable used for that connection, which again goes back to the variable exploit above... i really would prefer a more secure method.

any ideas?

how different is your project different from a standard "login project" ?
Explain that for more... :)
its different in that users don't need to login, lol. my login script is seperate, only really used for sorting mod privileges out and whatnot.

i still want all users to access these pages, i just don't want them to access them directly. for example, the following url:

...(fake url obviously) would include whatever.php into main.php. this is perfectly fine, but at the moment the following would return whatever.php and any scripts reading variables etc... off main.php would be screwed, returning errors or incorrectly (possibly exploitable) returning dynamic content that should only be visible to a mod:

all i want is to write a simple script at the top of such pages, so if there not being included into main.php, they simply die() and don't return anything.

You can use $_SERVER['SCRIPT_NAME'] to find out the name of the script that was called. Use basename() to reduce it to the filename only. If it's not main.php, you know something's up.
perfect! not something i've used before to be honest, but my god it makes for a great security feature.

if(basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__)){ die(); }