...

View Full Version : How do I call files that are in a non-web-accessible directory?



elegion
08-22-2006, 04:16 AM
I’m new to PHP, and I have a fairly easy question to ask concerning the “include” and “require” functions to secure my site. I’m having trouble calling the files from a non-web accessible directory.

I basically created a directory called “includes”. I then moved all my php files to that directory. After which I created and implemented the following code in the web accessible root directory:

require (“/www/includes/index.php”); (wouldn't parse, tried it without /www/)


require ('C:\Program Files\xampp\htdocs\mywebsite\header.php'); (I tried that code locally and it worked , but it didn’t work when I tried typing index.php , or when placing the files in the includes directory.)

All in all, I’ve tried to call the files in /includes/index.php online, but nothing seemed to work. And have tried this method on both my local, and online server. Is there something I’m missing, or doing wrong?


Thank you for your time.

musher
08-22-2006, 04:39 AM
elegion,
first you can either use require or include (here's the difference)

The two constructs are identical in every way except how they handle failure. include() (http://www.codingforums.com/function.include.html) produces a Warning (http://www.codingforums.com/phpdevel-errors.html#internal.e-warning) whilerequire() (http://www.codingforums.com/function.require.html) results in a Fatal Error (http://www.codingforums.com/phpdevel-errors.html#internal.e-error). In other words, use require() (http://www.codingforums.com/function.require.html) if you want a missing file to halt processing of the page. include() (http://www.codingforums.com/function.include.html) does not behave this way, the script will continue regardless.
ok now on to your code, if the file your calling the include from is your root and you have a directory under your root call includes this is how it would look

require('includes/header.inc'); should do it, I normally use require_once if the file has already been included once it won't need to be re-read.

require_once('includes/header.inc');

you can call your files what ever you want (ie. header.php) I normally call them ?????.inc just to help me keep things organized.

boeing747fp
08-22-2006, 04:44 AM
can you include files from non-accessible directories??

Fumigator
08-22-2006, 04:56 AM
you can call your files what ever you want (ie. header.php) I normally call them ?????.inc just to help me keep things organized.

Word of warning, if your included files end in .inc, most browsers will be able to read that file as if it were a text file. So your raw source code is available to prying eyes. Better to use filename.inc.php if you're inclined to use .inc in your naming convention.

To the OP, I'm not sure files a directory that isn't accessible to the web can be included. I include files in a directory with restricted permissions (I use chmod 744), but I wouldn't consider that non-web accessible.

musher
08-22-2006, 05:00 AM
Word of warning, if your included files end in .inc, most browsers will be able to read that file as if it were a text file. So your raw source code is available to prying eyes. Better to use filename.inc.php if you're inclined to use .inc in your naming convention.

Thanks Fumigator (I think, boy do I have a bunch of files and code to change now:eek:),


I basically created a directory called “includes”. I then moved all my php files to that directory. After which I created and implemented the following code in the web accessible root directory: .... I took that as he created an includes dir under the root

elegion what do you mean by a "a non-web accessible directory"

elegion
08-22-2006, 08:57 AM
Originally Posted by Musher
.... I took that as he created an includes dir under the root


Mucher that’s true, within my root directory online I created an “includes” folder wherein I temporarily CHMOD the file permissions to a world writable 777 to see if I could call those files, but nothing happened. 777 would’ve exposed the directory. I then changed the directory back to its original 755. Fumigator I haven’t tried the 744 yet.



Originally Posted by Musher
elegion what do you mean by a "a non-web accessible directory"

Non-web accessible it’s basically a directory that’s not viewable by the public , none of your users are able to access certain portions of your site through an url, only that which you, or the webmaster have placed in the root directory. I created a fall back .htaccess file, but I still can't call the file.

Exp, from another forum:

"I believe you can simply put the included file in a non-web-accessible directory:


include "/home/myself/includes/somefile.php"; [/B]

This was the answer given to when someone helped someone else.


Originally Posted by boeing747fp
can you include files from non-accessible directories??

Yeah, or so It’s stated in the following article (http://www.sitepoint.com/print/php-security-blunders), which is listed under the section Access Control Flaws. I stumbled across that particular article while doing a massive google for the answer, and creating my phpwebsite template. You can also include files that are on a completely different server.

Here’s the physical link: http://www.sitepoint.com/print/php-security-blunders


Following the examples in that article I went upon creating an “includes” folder in /www/includes, but because of the php.ini file I soon found that php.ini had the ability to change and allow php to configure not only register_globals, but on how code was parsed through php.

So with that knowledge I recreated the “includes “ directory within my site’s root directory. /mysite/includes

I read the user comments at php.net/includes (http://us2.php.net/manual/en/function.require.php) to find at least one hint, unfortunately the closest comment to my plight was on how to call a file from a remote server, which they insisted would lead to a security risk.

Of course, nothing would answer this fundamental question, and that perhaps, my host knew which directory was non-web accessible. And that in order for me to call these files, my host would have to modify the httpd.conf file in Apache.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum