the thing is, they can still get your files when doing stuff like that
file_get_contents('usr/your_doc_root/script.php');
then save it, and use it. but if thats not what your worried about
you could make sure that the parent script(the one doing the include) is in your doc root, if not, exit();
maybe
Code: Select all
<?php
if ($_SERVER['DOCUMENT_ROOT'] !== 'hardcode/your/docroot/here') {
exit;
}
?>
this is why php offers safe mode, and open_basedir. its a non ideal solution to shared hosting security problems. But its usually the best solution...
but really, if someone is trying to mess with you, and shares the server w/ you, your not gonna stop them w/ this kinda stuff...no matter what you do w/ php, remember, they can prob still use cgi