Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    137
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Preventing include()

    What is a good way to prevent a person from being able to include() my PHP files?
    Is it possible to make it so only the 127.0.0.1 IP can include the files? Not a different server?

    Thanks a lot!

  • #2
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    Only your local server can properly include your local files. If a remote server tries to include your files, they will be included after being parsed, which means they'll only have access to what you see when you view the file online in a browser.

  • #3
    Regular Coder
    Join Date
    Aug 2005
    Location
    Canada
    Posts
    137
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Errr... duh.
    No more all night coding sessions for me...

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    If you also want to prevent someone from seeing/using any content that is output by your include file, you can either set a variable or define a constant in your main file and then check for the variable or constant in your include file and simply exit() if the variable/constant is not found.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    865
    Thanks
    7
    Thanked 29 Times in 28 Posts
    If you have access to httpd.config, I would suggest using
    open_basedir
    as that will restrict PHP from accessing any directories outside the Document root.

    If you don't have access to php.ini or httpd.config, you can always use a .htaccess file.

    For more info, please check out the following url.
    http://phpsec.org/projects/phpsecinf...n_basedir.html

    Cheers,
    Ess

  • #6
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    What would the open_basedir setting on the OP's server have to do with someone else remotely including or browsing to his include files?
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #7
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    865
    Thanks
    7
    Thanked 29 Times in 28 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    What would the open_basedir setting on the OP's server have to do with someone else remotely including or browsing to his include files?
    If you are managing the server, or know the person managing the server...you can ask them to set it in order to limit every virtual host to a specific folder.

    If you don't have access to the configurations files, then...well...your options are a bit limited if others can access your directory.

    and no, you cannot rely on host variables (i.e. $_SERVER["HTTP_HOST"]) to stop others from seeing the contents of your files..and gain access to important information such as database user name and password among others.

    I think limiting virtual hosts to specific folders is a good solution and should be implemented when possible.

  • #8
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    If you also want to prevent someone from seeing/using any content that is output by your include file, you can either set a variable or define a constant in your main file and then check for the variable or constant in your include file and simply exit() if the variable/constant is not found.
    It is usually better to put includes in a folder that is not accessible from the outside (basically outside your website folder).

    Maintenance on using a constant/check in every include is a bit of a hassle. You're forced to copy and paste code every time you make an include. Which is fine for a handful of files. But when you have over a dozen, it becomes a problem when updating each file. You should never have to resort to copy and pasting in coding. If you do, you can probably abstract it away.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •