Make a php only includable from localfiles

Hi i'd like to know if it's possible to make a php file includable only if the file is local example check if a certain file is the same folder if its not well don't do certain things.

You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this

<?php
$path = $_GET['path'];
include $path.'update_account.php';
?>

now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

This is a very general but the idea is that it has the potential cause some major security holes

You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this

<?php
$path = $_GET['path'];
include $path.'update_account.php';
?>

now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

This is a very general but the idea is that it has the potential cause some major security holes


then what would be a good way to fix this?

I use sessions, though.. im more scared about sql injections that the file code it self.

Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes

Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes

well let's say someone is trying to connect to my database, knowing I have a inlude file that does the connection, id like it to only include if it's from the website it self.

.php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.

A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

Parent file:


define('check_loaded', 1);


then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:


if (!defined('check_loaded'))
{
exit();
}


If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?

A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

Parent file:


define('check_loaded', 1);


then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:


if (!defined('check_loaded'))
{
exit();
}


If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?

yes thank you :-)

.php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.

yes though if they know the variable name they can always output it.

That's not how it works the file finishes processing before it ever loads into their script. They have no access to the varibles used in the processing. If that weren't the case there would be no reason to use the language since all of your information could be stolen easily.