How to protect a php file from misuse?

I have two files. One is an html page and in it is a call to a php page (I'm using it to generate a dynamic text png).

page_1.html
<html>
<img scr="heading.php?text=testing">
</html>

heading.php
<?php
php image generation stuff here
?>

I want to know if there's a way, using session variables or .htaccess protection or whatever, to allow users to load 'page_1.html' normally but not allow users to access 'heading.php' directly (by putting 'heading.php?text=some super long random text here' into their browsers).

My first thought was to have 'heading.php' only run when a certain variable was passed to it from 'page_1.html' but that hasn't worked correctly.

Any ideas?

Maybe do a referer check in the PHP file, looking for page_1.html. It's not foolproof, but it'd keep your average user from abusing the file.

>Maybe do a referer check in the PHP file, looking for page_1.html. It's
>not foolproof, but it'd keep your average user from abusing the file.

How would that work if I had 100 HTML pages accessing the script? Could a referer check for and only allow requests coming from a certain directory?

Sure, you could look for a directory or even a domain. A domain would be preferable, in fact, as anyone on to your spoof check could create a directory on their server and get past your check without even having to write any spoof code.

So, the PHP file would check that the request was coming from:

http://www.domain.com/html/page_1.html

and the PHP could sit in

http://www.domain.com/php/heading.php

Is this correct? If you happen to know what the referer code might like that'd be great. But I will look around and try to figure it out. Thanks.

If you want to just check by domain, try:



To restrict access to a given page:



Or for a directory:



Note that dots and slashes have to be escaped within the preg_match() string. Other pattern matching functions could be used as well.

Great, thanks so much.