Securing Include files

[100asa]

What's the best and most secure way to include/require files?

I'm currently using the following method:

For my include files, I have the following at the top:

PHP Code:

defined('_VALID_INCLUDE') or die('Direct access not allowed.'); 


And for the files where I include that file, I have:

PHP Code:

define('_VALID_INCLUDE', TRUE);
require('connect.php'); 


Is this a good and secure method, or is there a better way to do this?

[Fou-Lu]

This doesn't exactly help with security. Assuming that the includes generate no processing of their own directly, attaching directly to them won't cause a problem. On the other hand, if you want to ensure that an include is reliant on the script including it (it does actual processing based on reliant data), then it may be a good idea to dictate a constant to it to ensure its been included and not directly accessed.
So from an error control perspective, it may be a good idea to do this. I've done OO programming for so long now that I never have main processing running in an included class. Its always constructed and handled from another method or the primary script.

[100asa]

So what I've been doing as shown above, makes no difference when it comes to security?

[Fou-Lu]

Nope. Security would indicate some type of access control. All a defined constant will do here is determine if it can run by itself or if it has to be run in the scope of something that has defined the constant. So for this I'd define it more as an error control level instead.

Security in the scope of an include would be more along the lines of accepting a variable include from input which is verified against a list of valid ones. So if you accept a page from a user, you have to verify that page exists and is one you will allow access to, otherwise nothing stops input from providing any filesystem file which the apache user has access to and that file will be included.