Home/ Questions/Q 8185249
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T01:46:57+00:00

I’m wondering how frameworks keep a user from directly accessing the action / dataservice

  • 0

I’m wondering how frameworks keep a user from directly accessing the action / dataservice script.

For example we go to www.test.com/test.html template test.html invokes test_action.php. What is stopping a user from going to the directory where this action script lives directly?

Such as www.test.com/index/actions/test_action.php

How are server permissions configured, so that test_action.php is accessed only through test.html.

  • in the case where I am stuck in doc-root on a shared hosting server
  • in the case where I’m running the show ~ I.E. my apache server
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you do nothing, and test_action.php is under your docroot, the use can access it. There are several ways to deal with this, if that is not acceptable (note that if your server has PHP properly installed/configured, they will not see the source code, just the output of the source code).

    If it is not allowable for the user to see the output of that script directly, you can choose one of several methods:

    1. Place all protected scripts outside the docroot of your HTTP server, then reference them using ../includes or similar
    2. Use an apache access control file to deny requests to .php (cut it off at the pass).
    3. Make an file called entry.php which declares a global constant, then include that file first from all of your valid entry points, and then in each of your protected scripts, check for the presence of that constant (IIRC, this is what CodeIgniter does).

    Generally, #1 is recommended. If that’s not good, #2 is very efficient, and #3 is, IMO, just tacky.

    • 0