Page 1 of 1

Setting access permissions

Posted: Sat Apr 21, 2007 3:08 am
by mjseaden
Hi,

I have a couple of questions regarding setting permissions for how the public may access a file, and also how PHP may access files when executed publicly from the web root that do not reside within my web root directory.

I have a large series of '.inc' files in my project which contain PHP classes that implement my site's functionality (PHP5).

These '.inc' files are currently in the '/inc/' directory on my web root, so any PHP scripts on root get accessed via "include 'inc/myinclude.inc'".

The trouble is, when I place these files into IE/FireFox manually, they show up as text (I've sorted this out using .htaccess), and also, some of them contain sensitive information such as database passwords, which I certainly do not want to end up in the hands of the wrong types of people.

Can I either

(a) Place these .inc files outside of my webroot, for example in another directory on the same level of the hierarchy as webroot, leading to me including files using '../inc/myinclude.inc' - and would these .inc files then definitely be out of the hands of people viewing the site publicly, or:
(b) Restrict read access using permissions for the 'inc' directory in my webroot, without restricting access via PHP.

Many thanks

Posted: Sat Apr 21, 2007 6:12 am
by aaronhall
It would be a better idea not to use .inc at all if you can help it.

Posted: Sat Apr 21, 2007 6:14 am
by mentor
Or you can rename the .inc files as db.inc.php.

Posted: Sat Apr 21, 2007 7:49 am
by Kieran Huggins
both (a) and (b) are possible, and good suggestions!

your .htaccess can deny http access to certain file types, and php includes local filenames: include('../inc/something.inc'); will work, but be mindful of your PWD. For example you can use include($_SERVER['DOCUMENT_ROOT'].'../inc/something.inc');

Posted: Sat Apr 21, 2007 7:52 am
by mjseaden
Hi, thanks very much for your help.