Ivan Ivković Posted January 14, 2012 Share Posted January 14, 2012 Let's say somebody opens some of my class files via: Example: http://admin.mysite.com/classes/main.php Can he do anything to harm my website? Is this important to protect? I keep protecting file by file with a function like: include('pagevariables.php'); if($current_page == $file['mainclass']){ header('Location: '. $file['home']); } Is this possible via .htaccess? I don't know how to write htaccess. Link to comment https://forums.phpfreaks.com/topic/255013-how-do-i-proctect-include-files-from-being-opened-via-browser/ Share on other sites More sharing options...
wolfcry Posted January 14, 2012 Share Posted January 14, 2012 There are a variety of ways to do it, but the easiest in my opinion is simply placing it in a secured directory and using .htaccess to deny direct access. Here is a great site on writing .htaccess permissions: http://www.askapache.com/htaccess/htaccess.html And here's an example about protecting your include file from being directly accessed if you don't want that to happen: http://davidwalsh.name/htaccess-security-include-files Link to comment https://forums.phpfreaks.com/topic/255013-how-do-i-proctect-include-files-from-being-opened-via-browser/#findComment-1307608 Share on other sites More sharing options...
Ivan Ivković Posted January 14, 2012 Author Share Posted January 14, 2012 Thank you very much! Link to comment https://forums.phpfreaks.com/topic/255013-how-do-i-proctect-include-files-from-being-opened-via-browser/#findComment-1307616 Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2012 Share Posted January 14, 2012 I keep protecting file by file with a function like: Without an exit; statement after that header() redirect, the code in your 'protected' file still runs when the file is requested. Link to comment https://forums.phpfreaks.com/topic/255013-how-do-i-proctect-include-files-from-being-opened-via-browser/#findComment-1307617 Share on other sites More sharing options...
kicken Posted January 14, 2012 Share Posted January 14, 2012 Can he do anything to harm my website? Is this important to protect? Assuming your includes only define functions or classes and do not have any code that would run, then someone loading them in the browser is harmless, they would just get a blank page and your script would essentially do nothing. If your files do have some code that runs, then you'd have to decide whether it can cause and problems or not. For instance, if you have a file that you include which connects to your DB, someone running it directly is probably harmless as it would just connect then immediately disconnect when the script ends. However, if you do want to prevent people from accessing them directly then you have some options: 1) (preferred) Store all your includes in a directory that is outside of your web root. This way the web server will not serve them and nobody can access them. Your scripts will still be able to include them as they can access things out of the web root. 2) Configure the server to deny requests for that directory. For apache you can do this via .htaccess. Other servers have their own ways most likely. 3) Include a little check at the top which will check if the current request is for that file and if so die(). Link to comment https://forums.phpfreaks.com/topic/255013-how-do-i-proctect-include-files-from-being-opened-via-browser/#findComment-1307620 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.