I'd like to be able to place all my ASP Classic include files outside of the web root. This assures no include files can be called directly via the URL.
What is the best way to accomplish this?
I know I can use a virtual directory to reference an includes folder outside of web root, but doesn't that still allow direct access to that directory via the URL? Perhaps I'm misunderstanding the nature of virtual directories.
From this article:
(I've never need to do this myself)
Understood. Make a virtual directory 'inside' your Default Web Site that points to the files 'outside' your working folder. In your code reference the virtual directory that points to the folder / files outside your normal structure. For example
Your default website is a local folder called c:\websites\example.com. Under example.com, all your folders and files. However, the files you want on a file server called FileServerA in a folder called D:\MyWebsiteIncludes. The UNC path is \FileServerA\D$\MyWebSiteIncludes or if you create a share on the folder, \FileServerA\MyWebsiteIncludes On the web server, create a virtual directory that maps to either share path. You'll need to make sure the proper credentials are configured to access the files on the remote server.
Although not recommended, you could also enable the 'Enable parent paths' option in IIS, which will allow you to reference files outside the webroot via the include directive, as well as allow access via the filesystemobject. This is generally not recommended though, as it does pose a security risk.
For directions on how to do this, check out the Enabling Parent Paths article on MSDN.
It's been a while since I used Classic ASP, but generally, I'd only declare subroutines and functions in include files, and then call those from the main application code. This has the unintended side effect where if someone does guess the path to an include and accesses the file directly via their browser, it wouldn't actually do anything as no code is executed.