ansaurus

Question

Restrictions on PHP include()

Answer 1

+3 A:

Just move it outside of the document root. This will not work if PHP is in Safe Mode though.

Ignacio Vazquez-Abrams 2010-01-15 03:33:15

Answer 2

+3 A:

Change your webserver configuration to disallow access to that file?

Nicolás 2010-01-15 03:34:21

Answer 3

+3 A:

No, do something like this:

index.php:

<?php

define('ALLOW_INCLUDE', true);

include('other.php');

?>

other.php:

<?php

if (defined('ALLOW_INCLUDE') === false) die('no direct access!');

// your code

?>

Alix Axel 2010-01-15 03:35:00

Remember, this won't work if the files are not parsed by PHP.

Chacha102 2010-01-15 03:41:18

Answer 4

+3 A:

If you currently place all your files (like index.php) in /something/public_html/ you will want to move the files to /something/. That way users cannot access the files.

The /public_html/ is called your document root. That folder is mapped to example.com, and and basically the website starts there. If you move the files to above where the website starts, no one can access those files via a browser.

As Ignacio said, this will not work with include if safe mode is turned on.

Other methods are to place something at the top of the file thats says

if(!defined("RUNNING_SCRIPT"))
    die("No Direct Access Allowed");

and then in your PHP files put

 define("RUNNING_SCRIPT", true);

If RUNNING_SCRIPT is not defined, that means they are directly accessing it, and it stops the page from loading. This only works though if PHP runs on the .html files.

You could also use a .htaccess file to disallowed access to that folders.

Chacha102 2010-01-15 03:35:16

By "PHP runs on the .html files", the html file outputs certain strings using php's echo, would that constitute as 'php runnin on the html file'?

Jorge Israel Peña 2010-01-15 03:55:36

Unless you have modified the server, PHP only runs on `.php` files, or files included by PHP. It is simple, put `<?php echo "Test"; ?>` in the `.html` file and see if it runs when you access it directly, or if you just get the PHP code.

Chacha102 2010-01-15 03:57:24

Some people create a `.htaccess` file to make PHP run on `.html` files, and sometimes the system admin will put it into the PHP configuration. But, if PHP doesn't run on the file, you can't use PHP to protected it.

Chacha102 2010-01-15 04:00:19

So then is it bad practice to `include` `.html` files? I was doing this in hopes of separating concerns and it works really well, except for the part where people can access the html file directly. Configuring the web server is not an option, as this is meant to be a drop-in plugin to a very popular CMS. Is my only hope to integrate the entire xhtml into the php file and make ugly echo calls complete with tedious quote escaping?

Jorge Israel Peña 2010-01-15 04:07:51

Actually, I almost completely missed this. I could just make the `.html` file `.php` and include that `define` constant check at the top, right?

Jorge Israel Peña 2010-01-15 04:08:46

Including `.html` files is not, by any means a bad practice. But, if you plan on using PHP code inside of them, you might want to just rename them to `.php` files instead, and use the `define` solution to stop people from accessing them.

Chacha102 2010-01-15 04:09:34

Correct, you could just rename the files :)

Chacha102 2010-01-15 04:10:11

Generally I name all of the files that contain php to end in `.php`, as I might use them incorrectly otherwise.

Chacha102 2010-01-15 04:13:20

Awesome, thanks again I appreciate it.

Jorge Israel Peña 2010-01-15 04:25:14

Answer 5

+1 A:

It's a good idea to place this as the first line.

You can also use .htaccess or drop a index.html page too as fallbacks.

<?php defined('SOME_CONSTANT_GLOBAL_TO_YOUR_APP') or die('Access denied.'); ?>

alex 2010-01-15 03:43:10

Answer 6

A:

may be apache access control? http://httpd.apache.org/docs/2.2/howto/access.html

Ilya Biryukov 2010-01-15 03:48:53

ansaurus

tags:

views:

answers:

Restrictions on PHP include()

related questions