Hi, I have a number of PHP "include" files which could potentially pose a security risk if accessed over HTTP. Is there any way to prevent access to these files over HTTP, but without using .htaccess? I still need them to be included in other scripts! Thanks, - QS Computing.
Add something like this to the top of the PHP files which the included php files are called from: define('SAFE', true); PHP: Then add this to the _top_ of all the included files: if(!defined('SAFE')) exit('Access Denied!'); PHP: Also, it would be good to put an empty index.html file in your includes directory, this way users cannot browse what files are there (they just get an empty page).
Another way is to create a folder above your web directory, for example: your root: /home/ your web: /home/public_html/ put the includes in: /home/includes/ This will make it so they cannot be accessed via the web but your pages have access to them. Or atleast in my experience this works pretty well.
How do you include the PHP files which are in the /home/includes folder? Could you not create a folder like /home/public_html/includes/ and change the permissions of this folder?
Weirfire: You can do that as well, as for how to include files in /home/includes/ include_once('../includes/filename.php'); PHP: There are a million different ways to protect your include files. I personally just use the includes folder with permissions set and I also do things like: inc.filename.php or filename.inc
I did something like nullbit suggested, but it's still (theorecitally) possible to circumvent it. Unfortunately I'm using a cheap host who doesn't give me access to anything above my web directory. How would setting permissions work? Surely PHP runs as the same user as the webserver? So if I set -r--r----- then everyone can read the script over the 'net? Thanks, - QS Computing
Can you not set the privelages so that it can't be accessed globally? I've never really looked into this but I'd be interested to find out.
I recommend against this. The server will usually return this file as plain text, thus letting the visitor view the code. Most include files are ok if they end in the .php extension. As long as they are parsed by php/apache they should return only the output from the code, and not the code itself.
If it's a shared machine, you are not supposed to access anything above your directory. I know you said you didn't want to use .htaccess, but this is really your best option, as it covers pretty much everything from the security point of view. Redirect all requests to files located in the include directory to a 404 handler. There are a few ways to do this. For example, if you keep all your PHP include files in the include directory and your custom error files are in the errors directory, add this line into your .htaccess file: RewriteRule ^include/.*$ /errors/404.php [L] Code (markup): The 404.php file would look like this: <?php header("HTTP/1.0 404 Not Found") ?> <h1>404 Not Found</h1> PHP: Permissions are not good for the purposes of hiding include files because your web server will still need to access the files, regardless of the way the file was requested (i.e. HTTP or include). Redirection, on the other hand, only affects how files are accessed over HTTP. Also, it is better to return 404 (not found) than 403 (forbidden) because returning 403 will tell the attacker that the file does exist in the protected directory. J.D.
True, but I thought palespyder was suggesting that I might get a directory in my home directory above my web directory. Actually, I can't use .htaccess - my host won't allow it. Hence the problem. - QS Computing.
Your host does not allow you to create a .htacess file?? I would read my contract and find out how quickly I could dump them. Inexpensive hosting services are a dime a dozen.
Well, some hosting companies do allow you to access a designated directory above the web root (you could create subdirectories there), even in a shared environment. This is done so that you could keep sensitive files, such as a password file for directory authentication, away from web access (you would still be able to access it through PHP). This setup is quite elaborate and I'm not sure how many hosting companies do this. I agree with Neters - dump'em. J.D.
I'm using webspace that comes with my ISP. It's pretty decent hosting - for an ISP, but all of the useful features are pretty much mutually-exclusive. I get access to two servers: www.qs...: allows me to serve basic HTML and files, .htaccess allowed cgi.qs...: CGI, PHP, SSH access etc. less space, no .htaccess Any reccomendations of decent (but fairly cheap) hosts? - QS Computing.
GoDaddy comes to mind. I know there are people here who host with them so you may to to search the forum to see how it rates.
You can also check places like www.askwebhosting.com. They allow you to search by price range. Once you found a couple of companies you like, do a search on this forum or through blogs to see what people are saying about them. J.D.