The issue here is that Apache is running as a single user, so that single user must be able to read all php scripts it wants to parse. So, putting the files in non htdocs directory can help a little, but Apache still can read them, if anyone else on the server asks apache to.
The real way to protect files is with permissions, AND using some sort of CGI wrapper or SuExe. That allows each virtual host in Apache to run as the user that owns the files. That way you can say "Only my apache user can read my files" so all the other hosts on the site can't have apache reading your files. The problem is, although I'm still foggy on this, is that these cgi wrappers and SuExe ONLY work with cgi application. So, if you run php as an Apache module, the wrappers won't work. If I'm wrong about that, please let me know. There are some user notes about this here: http://www.php.net/manual/sl/function.fopen.php HTH, Peter Janett New Media One Web Services http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 ----- Original Message ----- From: "Justin French" <[EMAIL PROTECTED]> To: "Pax" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 5:40 PM Subject: Re: [PHP] Protecting files > My preference > > 1. if possible, store the files above your public_html directory (doc > root)... this means they cannot be over http:// by apache, if that isn't > possible: > > 2. use .htaccess to either block the entire directory of includes, or all > *.inc files, or whatever you think is best. Personally, I block *.inc > across all my sites, via a .htaccess file in the doc root: > > <Files ~ "\.inc$"> > Order Allow,Deny > Deny from all > </Files> > > 3. I don't think permissions (chmod) of the file will help much, since > apache needs to read the files for them to be included... you should make > sure that other users on the server cannot include() your .inc files from > their account... if they can, find a new ISP ASAP, because they're obviously > DUMB. > > > I personally don't like the idea of naming all inc files *.php, because > there is a CHANCE that they might be executed out of context (imagine if you > had an include file which (stupidly) worked fine within the context of your > whole site, but accidentally deleted a whole table of data if executed on > it's own... YUK!!). > > The upside of naming them .php is that if the server's sys admin accidently > takes away permission for .htaccess files, or you accidentally delete your > own .htaccess file, you're still protected. > > > Perhaps you could consider BOTH: > > <Files ~ "\.inc.php$"> > Order Allow,Deny > Deny from all > </Files> > > ... this will prevent them being served at all... in the event that the > .htaccess is deleted or disabled, you can rest easy that PHP will parse > them, so that they cannot see the raw file. > > > By the way, this has been discussed in the archives MANY times, so do some > background research first... or even right now :) > > > Justin > > > > on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote: > > > Hello, > > > > How can I protect my php files among other files like templates > > (.inc) and mysql config (config.inc) files being copied/read/imported (front > > page)/used by other applications other than my > > site... > > > > can this be done by htaccess? is so , could anyone point me into right > > direction? > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
