To prevent direct access to a PHP page you should ideally place it outside of the web root. However, if this isn’t practical you can use this function.
if (__FILE__ == $_SERVER['SCRIPT_FILENAME']) {
header('HTTP/1.0 404 Not Found');
// Handle your error here
exit;
}
__FILE__
always returns the path to the current script — even if it’s an include — whereas $_SERVER['SCRIPT_FILENAME']
returns the top-level script that was called. If you want to use this script as a function you must pass __FILE__
to the function, rather than use it inside the function, else __FILE__
will always hold the value of the file that contains the function.
Tim Bennett is a freelance web designer from Leeds. He has a First Class Honours degree in Computing from
Leeds Metropolitan University and currently runs his own one-man web design company, Texelate.