Protect my custom php files

[solo_400]

Hi all ,

I have some custom json launching .php file and looking for an easy way to protect php file being accessed directly from browser . Php file is loading application_top.php in order to retrieve db connection info . Is there a session variable or something else that allows me to check if php was launched from zencart pages .. ?
All suggestions are welcome !

L.

[RodG]

Hi all ,

I have some custom json launching .php file and looking for an easy way to protect php file being accessed directly from browser . Php file is loading application_top.php in order to retrieve db connection info . Is there a session variable or something else that allows me to check if php was launched from zencart pages .. ?
All suggestions are welcome !

L.

* In theory, simply placing the custom.php file into the /admin/ or /includes/ folder(s) is enough to prevent someone running it directly (see the .htaccess files in these folders for a little more info).

If you don't think this is protection enough, then there are most certainly other methods (such as checking session variables) that will enhance the default protection mechanisms. Only you are in a position to determine which variable will best suit your needs.

Cheers
Rod

I have a gut feeling I may have this a liitle wrong... (haven't been in top form lately)

[solo_400]

The problem is when I put myfile.php on includes directory and called from json ( includes/mycustomdir/myfile.php ) it doesn't work . When I put myfile.php on root path www.mystore.com/storename/myfile.php and called from json ( myfile.php ) is working .
Do you know why ?

thx

[RodG]

The problem is when I put myfile.php on includes directory and called from json ( includes/mycustomdir/myfile.php ) it doesn't work . When I put myfile.php on root path www.mystore.com/storename/myfile.php and called from json ( myfile.php ) is working .
Do you know why ?

Do I know why? Not really,but there are several things that come to mind. The most obvious being file not found (incorrect path/URL) or file or folder permissions (no read access)

The fact that in one instance you specify "includes/mycustomdir/myfile.php" (a file path) and the other instance you specify www.mystore.com/storename/myfile.php (a URL) would suggest to me that you are possibly getting these confused somehow and/or are not making the required configuration changes when placing the file into a different location.

This is mostly speculation though.. If I were you, I'd be looking at the log files as these are sure to eliminate the guesswork I'm currently employing.

Cheers
Rod

[DrByte]

Hi all ,

I have some custom json launching .php file and looking for an easy way to protect php file being accessed directly from browser . Php file is loading application_top.php in order to retrieve db connection info . Is there a session variable or something else that allows me to check if php was launched from zencart pages .. ?
All suggestions are welcome !

L.

I think you're asking the wrong question.
If you "custom json" is an ajax script, then it IS accessing your myfile.php script directly from the browser ... because ajax runs in your browser.

I suspect that you really need to be building stronger security into whatever your myfile.php script is doing so that it knows the incoming request is authorized. Perhaps validating that the security token is correct, or something similar.

[solo_400]

Thank you Dr.Byte , do you have any idea ( a piece of code ) showing how to build a security mechanism on blocking direct access on myfile.php file ? You're right , the reason for non working when I place it on /include directory is default .htaccess . I really need a technical solution .