OK here is the background: My app will: have an admin access at http://sitename/admin/ Obviously authenticated users only are allowed access..
Now my issues is this, i do all the processing from a single index.php in admin/ folder that includes files from all over the webapp directory structure for example modules/thismodule/admin/index.php folder for getting the admin page for the module or modules/thismodule/index.php for displaying the modules in the public part of the page etc.. You get the picture.. What i want is to restrict acces to all these "included" php files such that by typing http://sitename/modules/thismodule/admin/index.php, this file will only be processed by the browser if and only if it has been included by http://sitename/admin/index.php NO "included" php file should be able to be processed by itself or accessed even for files that do not output anything.. So essentially i think i may be doing somethings wrong.. 1. My included files "assume" the top file has initiated an instance of an certain object thus being able to use the resources of the instanced objects in the top file..(obviously i have the necessary checks to make sure the instance has been created before including the file) -Should i be initializing new instances of the object at the top of each included file to prevent errors from appearing incase someone access the file directly? Or should i believe it doesn't really matter as in a production environment display_errors is set to off so no error output will be shown... 2. what is the assesed security risk if someone access a file directly even if it does not output anything? 3. is their a way to check that a file has been included by such and such file or should i develop a hash system where the top page that includes files generates a hash, stores it in the db for the length of the script and in a variable, and have the included file check that the variable from the top file and the hash in the db correspond? Security is driving me insane i'm becoming totally psychotic at the possiblity of someone taking over my admin systems... Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
