protecting includes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

protecting includes

Post by andym01480 »

Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if called by index.php in the root directory?

$_SERVER['REQUEST_URI'] I have learned can't be trusted
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: protecting includes

Post by VladSun »

You can define a constant in your index.php by using define() and then in the included file just check if it's defined by using defined() function.
There are 10 types of people in this world, those who understand binary and those who don't
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: protecting includes

Post by aschlosberg »

The function debug_backtrace() will provide you with an array describing function calls, includes etc. until the current point. You can go through the returned array and check for /path/to/root/index.php.

I don't know the internal workings of this function so someone with a bit more knowledge will have to verify that it's safe.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: protecting includes

Post by Benjamin »

Or you could protect the directory with an .htaccess file.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: protecting includes

Post by Christopher »

astions wrote:Or you could protect the directory with an .htaccess file.
I agree. I either use .htaccess to deny all or put the files in a directory outside of the public HTML directory. I would do those before shenanigans.
(#10850)
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: protecting includes

Post by andym01480 »

I've got

Code: Select all

Options -Indexes
in a .htaccess

and an index.php file that redirects back to index.php

Whenever I've tried other things in htacess it stopped index.php accessing it as well! What do you suggest
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: protecting includes

Post by Christopher »

Put the include files in a separate directory that the index.php. Put a .htaccess file in the directory with the include files that contains "deny from all". Still better to put the files outside of the public HTML directory. Then even a mis-configured web server won't give access to the files.
(#10850)
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: protecting includes

Post by andym01480 »

This seems to work and the file permission on .htaccess is 644

Code: Select all

Options -Indexes 
<Files *>
order allow,deny
deny from all
</Files>
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: protecting includes

Post by VladSun »

andym01480 wrote:Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if called by index.php in the root directory?
Obviously, your question is not the one you asked.
Probably it should be:
andym01480 wrote:Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if included?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: protecting includes

Post by andym01480 »

I see what you are saying!
Directory structure
public _html/index.php
public_html/includes/file.inc.php

What i want is if someone tries to go to mydomain.com/includes/file.inc.php they get a 403 error or preferably redirected to mydomain.com/index.php. Mainly I'm trying to protect against people trying to see what they can find in an includes directory!

Code: Select all

Options -Indexes 
<Files *>
order allow,deny
deny from all
</Files>
achieves that by giving a 403 error.

But Having a token in public_html/index.php that is checked by every include file and then a header back to the index.php achieves forcing an include directory file to be only included by public_html/index.php. I would still need a .htaccess file to prevent looking at the directory and/or a public_html/include/index.php with something like

Code: Select all

 
<?php
header("Location:../index.php");
?>
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: protecting includes

Post by kaisellgren »

Good, use .htaccess file to prevent the view of the files if you can not put the files outside the document root.

In addition you probably need just 0440 file permissions so try that.

It is not recommended to use debug_backtrace(), because it is kind of slow and not meant for this.

On multiplatform scripts, you may have no access to create .htaccess files or having the files outside the document root - in this case use define() -function to create a constant. Constants can not be altered, so they are the way to go in this case.
Post Reply