Re: [PHP] securing an 'includes' dir

Fri, 28 Jun 2002 01:19:31 -0700 

Assuming you have Apache/Unix (don't know about any other set-ups), I do the
following.

1. Name all included files .inc I do this for many reasons, but mainly to
help me know which are executables, and which are includes.  It also helps
with step 3.

2. I always keep them in a separate dir to the rest of my code, eg /inc/

3. Include a .htaccess file in the /inc/ directory (or further up towards
your docroot with the following:

<Files ~ "\.inc$">
    Order Allow,Deny
    Deny from all
</Files>

Basically, it denies direct (http) access to all *.inc files.  This means
the only way you can use/view/execute .inc files is by things like include()
in another php script.  I believe that Apache spits out a 500 error page if
you try to access something.inc via the URL.


4. In addition (and a small deterrent in itself if step 3 is unavailable), I
include a blank or redirecting index.html file in the /inc/ directory, so
that they can't view the directory listing at all.


An additional security measure might be to ensure that only certain scripts
can access the inc files, but I haven't gone that far yet :)

I'm unsure how well this prevents other users on the server from accessing
the files though.


Unfortunately this will require the admin to allow you to use htaccess files
in your on disk hierarchy, or possibly requesting him/her to make the
changes needed themselves.


Justin French




on 28/06/02 6:25 PM, Nick Wilson ([EMAIL PROTECTED]) wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all
> I'm setting up a site for a client and his host refuses to create (or
> allow me to) a directory outside of the http root.
> 
> How might I make an 'includes' dir inside the http root and stop users
> being able to browse it?
> 
> Many thanks
> - -- 
> Nick Wilson     //  www.explodingnet.com
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> 
> iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y
> Frz+dRz/FyOCSvXdXl9MytE=
> =AAVD
> -----END PGP SIGNATURE-----


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to