Page 1 of 1
protecting includes
Posted: Wed Jan 28, 2009 5:03 pm
by andym01480
Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if called by index.php in the root directory?
$_SERVER['REQUEST_URI'] I have learned can't be trusted
Re: protecting includes
Posted: Wed Jan 28, 2009 6:02 pm
by VladSun
You can define a constant in your index.php by using define() and then in the included file just check if it's defined by using defined() function.
Re: protecting includes
Posted: Wed Jan 28, 2009 7:06 pm
by aschlosberg
The function debug_backtrace() will provide you with an array describing function calls, includes etc. until the current point. You can go through the returned array and check for /path/to/root/index.php.
I don't know the internal workings of this function so someone with a bit more knowledge will have to verify that it's safe.
Re: protecting includes
Posted: Wed Jan 28, 2009 7:42 pm
by Benjamin
Or you could protect the directory with an .htaccess file.
Re: protecting includes
Posted: Wed Jan 28, 2009 11:29 pm
by Christopher
astions wrote:Or you could protect the directory with an .htaccess file.
I agree. I either use .htaccess to deny all or put the files in a directory outside of the public HTML directory. I would do those before shenanigans.
Re: protecting includes
Posted: Thu Jan 29, 2009 1:39 am
by andym01480
I've got
in a .htaccess
and an index.php file that redirects back to index.php
Whenever I've tried other things in htacess it stopped index.php accessing it as well! What do you suggest
Re: protecting includes
Posted: Thu Jan 29, 2009 1:56 am
by Christopher
Put the include files in a separate directory that the index.php. Put a .htaccess file in the directory with the include files that contains "deny from all". Still better to put the files outside of the public HTML directory. Then even a mis-configured web server won't give access to the files.
Re: protecting includes
Posted: Thu Jan 29, 2009 3:20 am
by andym01480
This seems to work and the file permission on .htaccess is 644
Code: Select all
Options -Indexes
<Files *>
order allow,deny
deny from all
</Files>
Re: protecting includes
Posted: Thu Jan 29, 2009 4:27 am
by VladSun
andym01480 wrote:Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if called by index.php in the root directory?
Obviously, your question is not the one you asked.
Probably it should be:
andym01480 wrote:Is there a way of protecting php scripts (each named like *.inc.php!) in an include folder so they only work if included?
Re: protecting includes
Posted: Thu Jan 29, 2009 4:39 am
by andym01480
I see what you are saying!
Directory structure
public _html/index.php
public_html/includes/file.inc.php
What i want is if someone tries to go to mydomain.com/includes/file.inc.php they get a 403 error or preferably redirected to mydomain.com/index.php. Mainly I'm trying to protect against people trying to see what they can find in an includes directory!
Code: Select all
Options -Indexes
<Files *>
order allow,deny
deny from all
</Files>
achieves that by giving a 403 error.
But Having a token in public_html/index.php that is checked by every include file and then a header back to the index.php achieves forcing an include directory file to be only included by public_html/index.php. I would still need a .htaccess file to prevent looking at the directory and/or a public_html/include/index.php with something like
Code: Select all
<?php
header("Location:../index.php");
?>
Re: protecting includes
Posted: Thu Jan 29, 2009 7:08 am
by kaisellgren
Good, use .htaccess file to prevent the view of the files if you can not put the files outside the document root.
In addition you probably need just 0440 file permissions so try that.
It is not recommended to use debug_backtrace(), because it is kind of slow and not meant for this.
On multiplatform scripts, you may have no access to create .htaccess files or having the files outside the document root - in this case use define() -function to create a constant. Constants can not be altered, so they are the way to go in this case.