...

View Full Version : Preventing include()



marcus1060
06-08-2007, 03:09 PM
What is a good way to prevent a person from being able to include() my PHP files?
Is it possible to make it so only the 127.0.0.1 IP can include the files? Not a different server?

Thanks a lot!

kbluhm
06-08-2007, 03:29 PM
Only your local server can properly include your local files. If a remote server tries to include your files, they will be included after being parsed, which means they'll only have access to what you see when you view the file online in a browser.

marcus1060
06-08-2007, 03:36 PM
Errr... duh.
No more all night coding sessions for me...

CFMaBiSmAd
06-08-2007, 05:51 PM
If you also want to prevent someone from seeing/using any content that is output by your include file, you can either set a variable or define a constant in your main file and then check for the variable or constant in your include file and simply exit() if the variable/constant is not found.

ess
06-08-2007, 06:21 PM
If you have access to httpd.config, I would suggest using
open_basedir
as that will restrict PHP from accessing any directories outside the Document root.

If you don't have access to php.ini or httpd.config, you can always use a .htaccess file.

For more info, please check out the following url.
http://phpsec.org/projects/phpsecinfo/tests/open_basedir.html

Cheers,
Ess

CFMaBiSmAd
06-08-2007, 09:49 PM
What would the open_basedir setting on the OP's server have to do with someone else remotely including or browsing to his include files?

ess
06-08-2007, 10:16 PM
What would the open_basedir setting on the OP's server have to do with someone else remotely including or browsing to his include files?

If you are managing the server, or know the person managing the server...you can ask them to set it in order to limit every virtual host to a specific folder.

If you don't have access to the configurations files, then...well...your options are a bit limited if others can access your directory.

and no, you cannot rely on host variables (i.e. $_SERVER["HTTP_HOST"]) to stop others from seeing the contents of your files..and gain access to important information such as database user name and password among others.

I think limiting virtual hosts to specific folders is a good solution and should be implemented when possible.

aedrin
06-08-2007, 10:35 PM
If you also want to prevent someone from seeing/using any content that is output by your include file, you can either set a variable or define a constant in your main file and then check for the variable or constant in your include file and simply exit() if the variable/constant is not found.


It is usually better to put includes in a folder that is not accessible from the outside (basically outside your website folder).

Maintenance on using a constant/check in every include is a bit of a hassle. You're forced to copy and paste code every time you make an include. Which is fine for a handful of files. But when you have over a dozen, it becomes a problem when updating each file. You should never have to resort to copy and pasting in coding. If you do, you can probably abstract it away. ;)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum