Jump to content

How do I proctect include files from being opened via browser?

Ivan Ivković

By Ivan Ivković
in PHP Coding Help

 Share

Recommended Posts

Ivan Ivković Member

Ivan Ivković

Posted
Posted

Let's say somebody opens some of my class files via:

 

Example:

 

http://admin.mysite.com/classes/main.php

 

Can he do anything to harm my website?

Is this important to protect?

I keep protecting file by file with a function like:

 


include('pagevariables.php');

if($current_page == $file['mainclass']){
header('Location: '. $file['home']);
}

 

Is this possible via .htaccess? I don't know how to write htaccess.

Link to comment
Share on other sites
wolfcry Member

wolfcry

Posted
Posted

There are a variety of ways to do it, but the easiest in my opinion is simply placing it in a secured directory and using .htaccess to deny direct access.

 

Here is a great site on writing .htaccess permissions: http://www.askapache.com/htaccess/htaccess.html

 

And here's an example about protecting your include file from being directly accessed if you don't want that to happen: http://davidwalsh.name/htaccess-security-include-files

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Can he do anything to harm my website?

Is this important to protect?

 

Assuming your includes only define functions or classes and do not have any code that would run, then someone loading them in the browser is harmless, they would just get a blank page and your script would essentially do nothing.

 

If your files do have some code that runs, then you'd have to decide whether it can cause and problems or not.  For instance, if you have a file that you include which connects to your DB, someone running it directly is probably harmless as it would just connect then immediately disconnect when the script ends.

 

 

However, if you do want to prevent people from accessing them directly then you have some options:

 

1) (preferred) Store all your includes in a directory that is outside of your web root.  This way the web server will not serve them and nobody can access them.  Your scripts will still be able to include them as they can access things out of the web root.

 

2) Configure the server to deny requests for that directory.  For apache you can do this via .htaccess.  Other servers have their own ways most likely.

 

3) Include a little check at the top which will check if the current request is for that file and if so die().

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.