Restricting script access, but not web

[blaher]

I'll have to set up a example, so I can explain this better.

Say I have the following directory setup:

 

/public_html/

- /config.php

- /index.php

- /inc/

- /site1/

- /site2/

 

In /public_html I have the domain rootsite.com pointing to /public_html/ I have site1.com pointing to /public_html/site1/ and site2.com to /public_html/site2/.

 

Now the problem is there could be a injected file in /site1 that uses:

<?php
    include('../config.php');
    echo $password,'\n';
    include('../site2/config.php');
    echo $password,'\n';

    $fh = fopen('../index.php', 'w');
    fwrite($fh, "You've been hacked\n");
    fclose($fh);
?>

I want to restrict this somehow from happening, without blocking web access.

[trq]

You need to give your sites there own document roots instead of defining them within sub-directories of public_html.

 

this isn't a php question, but a server config question.

[blaher]

That's not an option. I'm using Hostmonster as my host, which uses Cpanel. I can only have one document root.

[trq]

You could wrap all your code in checks for the referring domain then. other than that, i don't see a better option but to get a host that actually supports virtual hosting.