1

I am setting up a new website and currently if I go to mydomian/php/someScript.php it will execute the php script. How can I let the files that include this still include this but not let anyone else execute these scripts from the browser. Currently I have this in my .htaccess file:

deny from all

but when I visit the site a AJAX post request is made to a script in this folder and is getting back a 403 error.

Any ideas on how to achieve this are welcome.

====EDIT====

for clarity, some files in the php directory are requested by AJAX and I've now been made aware that these files cant have the desired permissions. However I would still like to put these permissions on the other files in this directory

Thanks

Aly
  • 15,865
  • 47
  • 119
  • 191

2 Answers2

1

You can still include those files from php, e.g. using include or require.

Calling it via AJAX is not different from calling it by entering the URL in the browser - i.e. you cannot block direct access but allow AJAX access.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • Ah I see, how can I edit my .htaccess file to say deny from all for these files? – Aly Mar 07 '11 at 21:03
  • 1
    Look around on SO - there's a ton of questions/answers on how to allow only authorized users access to a script. – Marc B Mar 07 '11 at 21:31
1

The best solution is to put them outside of the web root directory if at all possible, that way you can include them but the web server can't serve them, no configuration is required at all in this case.

EDIT: I noticed you want to allow access to the scripts by AJAX. There is no way of doing this as there's no way of telling the difference between an AJAX request or other types of HTTP request with any reliability.

GordonM
  • 31,179
  • 15
  • 87
  • 129
  • I have edited my question, as I still want to add permissions to other files in this directory – Aly Mar 07 '11 at 21:06
  • You could always put all the private scripts in a directory outside the web root, and the AJAX scripts in a different directory inside the web root. They don't all have to be in the same location, if they need to reference each other they can do so via relative paths. – GordonM Mar 07 '11 at 21:09