php include file security

[php2009world]

Hi !

In some cases (many Middle size company face this problem), we have main php application running from root or main application folder. Only Core development team ( hired inhouse or outsource ) have access to it. ( updation to this php system ( changing coding ) is rare ( once running fine and live).

Team member from other department share ( or use ) some include php files to generate report related to their departments only. They have ftp access to their folder only. ( They do not have ftp access to root folder)

exa.

include "../../template/header.php";

they can only view / use above line of code, but that ftp folder has permission to run php code ( required).

 

my query is they can include files like header.php from root ( or main application folder) but they don't have ftp permission to modify/delete/view header.php.

 

I want them to use/include this include files but do not want to view/modify/delete them from their sub ftp account.

 

can they view php code from their ftp account ( using any php function like fopen ) , if yes then how to prevent them, what type of permission to set on include files or main php application folder.

 

(Many middle size company IT manager like me face this type of problem, but all security topics covers only external security, but what about inhouse security ?)

Regards

 

[wildteen88]

You can set your header.php file to be read only. That way they cant edit it.