Suppose I use an include (say inc_openDB.php) to open my database, and that I include this code in each page where PHP needs access to the database. How can I protect this code from being read by others (you understand that the PHP statements will include my login and password for the database...)?

I know doing a simple "view source" won't reveal this, but how can I prevent people from browsing the directories and finding this piece of code?

As long as the code is inside the php <? ?> tags then there is no way anyone can see the code, even if they view the file through the directory listing.

Can't they just download the .php file and watch it in a text viewer?

.... becuase unless your inc_openDB.php has something like

echo $my_password;

which it wont I hope ;)

it maybe ...

$db_user='username';
$db_pass='password';

but anyone viewing that page will see nothing.

that said its a good idea to keep sensitive information above your web root if your host allows it, so in say

/home/user/www/this.php
you might reference
include ('../db.inc.php');
which translates to
/home/user/db.inc.php
which the casual passer by can not access, that wont stop others on a shared server from trying to fopen() your scripts though :) but those attempts are easily traced and dealt with.

as for directory browsing (which can if nothing else give an attacker the names of the files to try and felch) you can use htaccess to prevent this , or if your host does not allow it and perhaps easier is to make sure there is always an index.html in each and every directory, this will prevent anyone from seeing the directory contents (unless your server has avery non standard config in which case fing another host !).

sorry Galdo I did not see you there !

LaundroMat , the only way they can download your file is if they have your FTP username & password in which case they can do whatever they like anyway.

this is what happens (in plain english) when someone acces your .php page

http client-> could i have page.php
http server-> oh hang on im supposed to send them to the php parser.
*http server sends to php*
php parser-> thank you, now lets check for <? ?> tags. there are some! great now il just read what its doing.... ok code parsed ill just send the output and not the source
*http server->great now thats that page dealt with, ill send it to the http client
http client-> i just have some text to show up. cheers!

there you have a (very cordial) conversation between an http server, php and client hopefuly you should understand what has happend to the php code

Great info, thanks!