3 Simple Ways to restrict access to your webpages using PHP

Why do you need to restrict access to some of your scripts or webpages? There are can be several reasons to do this:

• You can use some open-source php script (for example, statistics frontend), and you can not be fully assured that your data completely safe. Many open-source scripts have vulnerabilities, allowing hackers to gain access to your data, so you may want to hide this script "entry point" from others.
• You can have some important private data you don't want to be accessible by aliens.

So you need to "hide" your pages from search engine spiders, random visitors and other unwanted persons. In this article we'll examine several techniques how you can implement such "access restriction" with PHP:

• Restrict access by IP address or IP range
• Specify additional hidden parameter
• Restrict access using Basic HTTP authentication
• Make the page "invisible" to the user or search engine spider

All our examples will implement the function CheckAccess(), so you can choose the better variant to use in your scripts. The basic technique is to place CheckAccess() in the beginning of your "private" scripts. Please note, our examples are very simple and can not be treated as comprehensive paranoid secure solution, nevertheless they can do their job.

Restrict access by IP address

If you have static IP address, you can hardcode it in your verification function something like this:

If you want to allow access to your PHP page only for the range of static IP addresses (for example, IP range of your organisation, school, etc.), your verification function could be as follows:

Specify additional hidden parameter

This very simple technique can be used if you want to restrict access to the PHP script and do not want to write much code. You can get access to your script by supplying arbitrary additonal parameter within the script URL, e.g.: http://www.yoursite.com/mystats.php?secretkey=secretvalue. Without this parameter you can return 404 HTTP (Page Not Found) response code as described below.

<?php

//This function returns True if query string contains secretkey and secretvalue.
//Otherwise it returns False
function CheckAccess()
{
  return @$_GET['secretkey']=='secretvalue';
}

?>

Restrict access using Basic HTTP authentication

The Basic HTTP authentication forces visitor's browser to show prompt asking for username and password in order to access restricted area. Our CheckAccess() function could be implemented like this:

Note that with this authentication method your browser will pass your username:password in HTTP headers as plain text. If you need stronger security, consider using Secure Sockets Layer (https protocol).

Make the page "invisible" to the user or search engine spider

Ok, now you have written simple checking function CheckAccess. How can you use it? Firstly you can save the function implementation in the php file for further inclusion in your scripts. After that you can try the first method placing something like this in the beginning of your script:

So after checking some credentials, if the check is not passed, your script will output "Access denied" message.

In my opinion, the better way is to make unwanted visitor/spider/hacker think the page does not exist. It can be done by returning "404 Not Found" HTTP header as response and can be implemented like this:

Conclusion

In this article we have examined simple web access restriction approaches in PHP: by IP address, with secret parameter, using Basic HTTP authentication. For more complicated solutions you can use some 3rd-party solutions and libraries like Pear::Auth or read more advanced tutorials like Tutorial "PHP-Based User Authentication" from Zend.