 How To Protect Included Files |
|
|
|
|
  |
 Mar 9 2008, 02:12 PM
Post
#1
|
|
|
Advanced Member  Group: Members Posts: 187 Joined: 13-January 08 From: Sweden Member No.: 27,579  |
Hey!
How can i make my included files 100% safe. Like if I include a file witht his code.. CODE include "bla.php"; How can i make it 100% safe? I know I must close the php tags in the included files. but what more =? |
 |
 
|
|
Mar 9 2008, 04:07 PM
Post
#2
|
|
|
Premium Member  Group: [HOSTED] Posts: 442 Joined: 5-November 06 Member No.: 17,016 |
What do you mean by safe?
|
|
|
|
|
Mar 9 2008, 04:49 PM
Post
#3
|
|
|
Advanced Member Group: Members Posts: 187 Joined: 13-January 08 From: Sweden Member No.: 27,579 |
No one can view the code, or even know that they excist. that should be enough.
This post has been edited by Feelay: Mar 9 2008, 04:50 PM |
|
|
|
|
Mar 9 2008, 05:19 PM
Post
#4
|
|
|
Premium Member Group: [HOSTED] Posts: 442 Joined: 5-November 06 Member No.: 17,016 |
No one can actually view your php file in the first place. Unless you mistakenly configure the server to serve php pages as html, then it would just display them as plain text. Other wise, no way.
The other thing is, most server serve the include folder above the www/html root, thus making it only visible to the code, but no way to access it from the outside world. CODE yourroot/www/your html files --> http://yourserver/index.tml
yourroot/cgi-bin <-- No way to see this from outside, unless you can actually do this, (http://yourserver/../cgi-bin) which is not possible |
|
|
|
|
Mar 9 2008, 06:42 PM
Post
#5
|
|
|
Advanced Member Group: [HOSTED] Posts: 194 Joined: 30-June 07 Member No.: 23,045 |
I'm no expert, but surely a simple check to see if the include is being accessed from another page on your site would be enough? If so, just define a variable at the start of the script in which you use the include. Then, in the included file, check that whatever variable you used is defined, and if not simply die() (i.e. don't process the script). Possible error messages would include "This file cannot be directly accessed!" or the like.
Anything wrong with this method of doing things? |
|
|
|
|
Mar 12 2008, 12:12 PM
Post
#6
|
|
|
Super Member Group: [HOSTED] Posts: 713 Joined: 8-April 06 From: Lima - Peru Member No.: 12,579 |
I'm not 100% sure but you can use the define and defined php functions for securing your include files, first define a constant in the caller page and then verifiy if it is defined in the include file.
Caller File: CODE <?php define( "MY_ACCESS_CODE", true ); include("includefile.php"); ?> Included File (includefile.php): CODE <?php defined( 'MY_ACCESS_CODE' ) or die( 'Direct Access to this location is not allowed.' ); ?> EDIT:
This post has been edited by TavoxPeru: Mar 12 2008, 10:16 PM |
|
|
|
|
Mar 12 2008, 05:29 PM
Post
#7
|
|
|
Advanced Member Group: [HOSTED] Posts: 194 Joined: 30-June 07 Member No.: 23,045 |
QUOTE(TavoxPeru @ Mar 12 2008, 12:12 PM)  I'm not 100% sure but you can use the define and defined php functions for securing your include files, first define a constant in the caller page and then verifiy if it is defined in the include file. Caller File: CODE <?php define( "MY_ACCESS_CODE", true ); include("includefile.php"); ?> Included File (includefile.php): CODE <?php defined( 'MY_ACCESS_CODE' ) or die( 'Direct Access to this location is not allowed.' ); ?> Best regards, *nods* That'd be the way I described above, but in code format. One point to bear in mind is that you'd need to define the access code once only per page (if you have more than one include). I doubt it would hurt to define it more than once, but it's just messy coding in my opinion. |
|
|
|
|
Mar 12 2008, 07:18 PM
Post
#8
|
|
|
Newbie [ Level 1 ] Group: Members Posts: 4 Joined: 12-March 08 Member No.: 29,066 |
it really ccompicated but easy if you know how get someone you know to help you out
 make sure you know what your doing
|
|
|
|
|
Mar 15 2008, 10:14 AM
Post
#9
|
|
|
Absolute Newbie  Group: Admin Posts: 871 Joined: 20-February 05 From: Indianapolis, Indiana, USA (Midwest) Member No.: 2,714 |
Well, I realize that this dicussion may be resolved but I figured it couldn't hurt to provide the information anyway.
There actually is a tutorial about the suject on the forums: CMS103 - Securing Your Website, Keeping your included files from being accessed directly. Actually, I see that Feelay has read the article already.  Anyway, it discusses this situation. One additional security measure for your files is to prevent them from being seen altogether. Basically, do not allow anyone to view the files in a given directory. As most of you know, on most servers if there isn't and index file (index.html) then the server makes a nice directory listing of every file on that folder! To prevent this, you can change you server setting or simply add a blank index.html file to EVERY folder on your server. If you want to get creative, you could use the following index.html file instead: CODE <html> <head> <title>You Aren't Allowed Here!</title> </head> <body> Yeah, like we were just going to let you look around and try to see all of our super secret files and image!<br /> Not to worry, they all look a lot better when viewed through the main page: <a href="domain.com/index.php">Main Page</a> </body> </html> Alternately, you could simply add the following to the .htaccess file in the parent directory of the folders you do not want to show indexes on: CODE Options -Indexes Hope this helps, vujsa |
|
|
|
|
Mar 15 2008, 10:43 AM
Post
#10
|
|
|
Advanced Member Group: Members Posts: 187 Joined: 13-January 08 From: Sweden Member No.: 27,579 |
Thanks Vujsa
And yes. I remebered that I had read your topic, when I saw TavoxPeru's post |
|
|
|
|
Similar Topics
| Topics | Topics | |
|---|---|---|
|
|
|
|
Lo-Fi Version | Time is now: 6th July 2008 - 08:16 AM |