Jump to content



Welcome to AstaHost - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

Toggle shoutbox Shoutbox Open the Shoutbox in a popup

@  agyat : (24 May 2013 - 05:15 PM) O Dear, Where Are You? Without Your Words This Sb Is ..
@  agyat : (23 May 2013 - 01:23 AM) Wow! Mr. Sb Back Home.
@  OpaQue : (23 May 2013 - 12:44 AM) Ting
@  OpaQue : (24 April 2013 - 02:44 PM) I guess, Time to run Mycent script.
@  OpaQue : (24 April 2013 - 02:43 PM) wow.. not much spam. except habatt posting lot of links.. :P
@  yordan : (23 April 2013 - 01:04 PM) You're welcome, agyat. Nice to have been helpful. Second lesson: try full words, "you" instead of "EW".
@  agyat : (23 April 2013 - 05:03 AM) @YORDAN: tHANK EW FOR YOUR FIRST LESSON.   :D
@  yordan : (22 April 2013 - 09:43 PM) @agyat : "why don't you help me", or "please help me", or "please teach us"
@  yordan : (22 April 2013 - 09:42 PM) welcome back, velma
@  velma : (22 April 2013 - 07:51 AM) **yawns** Good to be back, wonder what is going on here :)
@  agyat : (22 April 2013 - 03:50 AM) Oh! so, why don't help me learn english..
@  yordan : (21 April 2013 - 08:38 PM) The goal mentioned by shiu : "learning english, learning computer"
@  agyat : (21 April 2013 - 06:31 PM) WHAT GOAL?
@  yordan : (20 April 2013 - 10:39 AM) yes, that's our goal. simultaneouly learning English and teaching/learning computer using.
@  shiyu : (20 April 2013 - 07:30 AM) learning english,learning computer
@  yordan : (19 April 2013 - 01:11 PM) Oh, I see, it's just a trick in order to force people looking at your texte. Somehow smart, maybe.
@  agyat : (19 April 2013 - 02:54 AM) And of course I know it is not SEO friendly.
@  agyat : (19 April 2013 - 02:52 AM) There may be two possible answers for that ....


1) Shout was posted using mobile keypad.

2) To force people read content carefully and/or with more concentration.
@  agyat : (19 April 2013 - 02:49 AM) There may be two possible answers for that ....
@  yordan : (18 April 2013 - 09:35 PM) however, why this mixing of capital letters in the middle of your text?

Replying to How To Protect Included Files


Post Options

    • Can't make it out? Click here to generate a new image

  or Cancel


Topic Summary

Quatrux

Posted 16 March 2008 - 12:13 AM

If you really want to protect your php files, include it from a directory where there is a .htaccess file with "deny from all", php still will be able to include it and execute, moreover, that directory could be outside public_html or www directory whatever, I mean somewhere, before public_html/ that it wouldn't be directly accessible to users, but php will still be able to include them. :)

Feelay

Posted 15 March 2008 - 10:43 AM

Thanks Vujsa :)
And yes. I remebered that I had read your topic, when I saw TavoxPeru's post :)

vujsa

Posted 15 March 2008 - 10:14 AM

Well, I realize that this dicussion may be resolved but I figured it couldn't hurt to provide the information anyway.

There actually is a tutorial about the suject on the forums:
CMS103 - Securing Your Website, Keeping your included files from being accessed directly.

Actually, I see that Feelay has read the article already. :)

Anyway, it discusses this situation.

One additional security measure for your files is to prevent them from being seen altogether. Basically, do not allow anyone to view the files in a given directory. As most of you know, on most servers if there isn't and index file (index.html) then the server makes a nice directory listing of every file on that folder! To prevent this, you can change you server setting or simply add a blank index.html file to EVERY folder on your server.

If you want to get creative, you could use the following index.html file instead:
<html>
<head>
<title>You Aren't Allowed Here!</title>
</head>
<body>
Yeah, like we were just going to let you look around and try to see all of our super secret files and image!<br />
Not to worry, they all look a lot better when viewed through the main page: <a href="domain.com/index.php">Main Page</a>
</body>
</html>

Alternately, you could simply add the following to the .htaccess file in the parent directory of the folders you do not want to show indexes on:
Options -Indexes


Hope this helps,
vujsa

Dizzy

Posted 12 March 2008 - 07:18 PM

it really ccompicated but easy if you know how get someone you know to help you out :) make sure you know what your doing

Mordent

Posted 12 March 2008 - 05:29 PM

I'm not 100% sure but you can use the define and defined php functions for securing your include files, first define a constant in the caller page and then verifiy if it is defined in the include file.

Caller File:

<?php
define( "MY_ACCESS_CODE", true );
include("includefile.php");
?>
Included File (includefile.php):
<?php
defined( 'MY_ACCESS_CODE' ) or die( 'Direct Access to this location is not allowed.' );
?>
Best regards,

*nods* That'd be the way I described above, but in code format. One point to bear in mind is that you'd need to define the access code once only per page (if you have more than one include). I doubt it would hurt to define it more than once, but it's just messy coding in my opinion.

TavoxPeru

Posted 12 March 2008 - 12:12 PM

I'm not 100% sure but you can use the define and defined php functions for securing your include files, first define a constant in the caller page and then verifiy if it is defined in the include file.

Caller File:
<?php
define( "MY_ACCESS_CODE", true );
include("includefile.php");
?>
Included File (includefile.php):
<?php
defined( 'MY_ACCESS_CODE' ) or die( 'Direct Access to this location is not allowed.' );
?>
EDIT:
  • The solution given by faulty.lee is another good one.
  • You can use session variables.
  • The code that i post was taken from this topic A Simple Checking & Validation PHP Script check it out for more information about this solution.
Best regards,

Mordent

Posted 09 March 2008 - 06:42 PM

I'm no expert, but surely a simple check to see if the include is being accessed from another page on your site would be enough? If so, just define a variable at the start of the script in which you use the include. Then, in the included file, check that whatever variable you used is defined, and if not simply die() (i.e. don't process the script). Possible error messages would include "This file cannot be directly accessed!" or the like.

Anything wrong with this method of doing things?

faulty.lee

Posted 09 March 2008 - 05:19 PM

No one can actually view your php file in the first place. Unless you mistakenly configure the server to serve php pages as html, then it would just display them as plain text. Other wise, no way.

The other thing is, most server serve the include folder above the www/html root, thus making it only visible to the code, but no way to access it from the outside world.

yourroot/www/your html files --> http://yourserver/index.tml
yourroot/cgi-bin <-- No way to see this from outside, unless you can actually do this, (http://yourserver/../cgi-bin) which is not possible

Feelay

Posted 09 March 2008 - 04:49 PM

No one can view the code, or even know that they excist. that should be enough.

faulty.lee

Posted 09 March 2008 - 04:07 PM

What do you mean by safe?

Review the complete topic (launches new window)

  1. Open Discussion & Free Web Hosting
  2. Computers & Tech
  3. Programming
  4. Scripting
  5. PHP
  6. How To Protect Included Files
  7. Rules