www.webdeveloper.com
Results 1 to 5 of 5

Thread: Securing php includes

  1. #1
    Join Date
    Oct 2006
    Location
    Ables Springs, Texas
    Posts
    140

    Securing php includes

    I've come across two ways to secure php includes:
    1 - With a lock and key code ($ping = "pong" and $ping != "pong")
    2 - by placing the includes above the root directory and accessing them by absolute path (include "/path/to/includes/myinclude.php";.

    Are these viable? Or, am I wasting my time trying to secure my includes?

    I'm asking because some of those includes contain ad code.

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,633
    If the file only consists of class and/or function definitions, there's really not much reason to secure it (at least from HTTP access). If you do need to secure it and cannot store it outside of the web root, you can give it a unique suffix (since it doesn't matter what the suffix is if you are including it), and specify in .htaccess or your httpd config to not allow access to files with that suffix.

    A purely PHP method to prevent access:
    PHP Code:
    <?php
    if(realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME']) {
        
    header("HTTP/1.0 404 Not Found");
        exit;
    }
    // rest of file...
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Oct 2006
    Location
    Ables Springs, Texas
    Posts
    140
    If I understand you correctly, the include doesn't have to end with .php, and can be called something like adsense-code.inc (.inc files are already restricted through .htaccess).

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,633
    Quote Originally Posted by jwgrafflin View Post
    If I understand you correctly, the include doesn't have to end with .php, and can be called something like adsense-code.inc (.inc files are already restricted through .htaccess).
    Right. The only exception to this would be if for some reason -- and I recommend against it in 99.99% of cases -- that you include it via a URL, which of course would not be the case here since you don't want the file to be accessible via HTTP. (It's been a long week, I didn't get enough sleep last night, so I may be typing gibberish by now.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Oct 2006
    Location
    Ables Springs, Texas
    Posts
    140
    Got it. Now, go get some rest. you deserve it.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles