In Officephp, there are main php pages and many module directories with hundreds of php files which are called when the application is running.

Sometimes, there are php files that are not meant to be accessed directly by the public, by typing via URL. They are part of include() or require() where they are requested from other pages.

However, with open source software, anyone can download the source code and look at the directory and files structure, hence she can type the name of the files directly in the browser URL and acess the pages.

To prevent this is simple. In the main page that can "legally" be seen by visitors (such as index.php), create a blank function BlockDirectAccess like below:-

Sample 1: index.php

<?php
function BlockDirectAccess (){}
require(extra.php);
?>

This a blank function, without any programming codes within it.

In the included/required file (e.g. extra.php below) where we do not want visitors to have direct access by typing via browser URL, call this function at the top of the page like below:

Sample 2: extra.php

<?php
BlockDirectAccess();
/* your codes here */
?>

Hence, everytime she tried to access the page directly by typing http://yourcompany.com/extra.php, she will get error message like below

"Fatal error: Call to undefined function: blockdirectaccess() in whatever/apache/htdocs/officephp/extra.php on line 2"

This could ensure that extra.php is only called and executed by visitors that visit the index.php file.

That's it. Everytime you have a page that is not meant to be peeked by intruders, call this function at the top of the page.