Protecting Include Files

[Guest FirefoxRocks]

Is this a secure method of protecting files that I include (require):

<?php  if ('included-file.php' === basename($_SERVER['SCRIPT_FILENAME']))	 die ('<h2>Direct File Access Prohibited</h2>');?>

I can also use .htaccess in the includes/ directory.If this isn't secure, what are some methods that I can use considering that I can only place files in the public_html (htdocs) folder?

[justsomeguy]

What's the purpose? To ensure that people don't try to pull up an include file without it being included? That code will do that.

[Guest FirefoxRocks]

The purpose is to block people from including that file from other sites/servers...so:This is how I would include the file:

<?php include_once("includes/someFile.php"); ?>

But other people would need to do this:

<?php include_once("http://example.net/includes/someFile.php"); ?>

Is the code above going to protect from this?

[Ingolme]

I'd check for the HTTP_HOST instead:

if($_SERVER['HTTP_HOST'] != "mydomain.com")  die ('<h2>Direct File Access Prohibited</h2>');

EDIT:Actually, that wouldn't work, since the script would only run on your server anyways.

[Guest FirefoxRocks]

So I'm assuming the code I wrote above, .htaccess and the variable check is the strongest defence against unauthorized file including?

[Ingolme]

You can modify the file permissions so that only the owner can read it and execute it.The method you showed here does work and it requires nothing else in order to be protected.

<?phpif ($ping != "pong") {	 exit('<h2>You cannot access this file directly!</h2>');}?>

<?php   $ping = "pong";	include_once("include_file.php");?>

[Synook]

By the way, it is not possible to include (i.e. include()) files from remote servers as the request would have to be served over HTTP, and the server's HTTP daemon would therefore have processed the file before it is sent. Though they still can call file_get_contents().

[Guest FirefoxRocks]

By the way, it is not possible to include (i.e. include()) files from remote servers as the request would have to be served over HTTP, and the server's HTTP daemon would therefore have processed the file before it is sent. Though they still can call file_get_contents().

What about this?

  <?php/* This example assumes that www.example.com is configured to parse .php* files and not .txt files. Also, 'Works' here means that the variables* $foo and $bar are available within the included file. */// Won't work; file.txt wasn't handled by www.example.com as PHPinclude 'http://www.example.com/file.txt?foo=1&bar=2';// Won't work; looks for a file named 'file.php?foo=1&bar=2' on the local filesystem.include 'file.php?foo=1&bar=2';// Works.include 'http://www.example.com/file.php?foo=1&bar=2';$foo = 1;$bar = 2;include 'file.txt';  // Works.include 'file.php';  // Works.?>

[boen_robot]

You've been asking some pretty interesting questions lately...Let me try to describe it like that: "include" reads the content of a file as a PHP code to be executed. file_get_contents() reads the file's content as plain text.Not using "http://" means the content will be looked on the file system. Using "http://" means that the content will be looked over the "http://" scheme.The empasis on "content" is REALLY important. Try to fetch one of your own files via HTTP with your browser. You know, like:

http://example.com/file.php

(assuming you own "exaple.com", and that "file.php" is supposed to be included in PHP scripts)Now click "View source"... what do you see? "Nothing" I suppose? Well, whatever you see, THAT is what PHP will try to parse as PHP code if you or anyone include it with "http://". And your files can't be reached by someone else without the "http://" scheme. Therefore, you need not worry that someone is going to include your PHP files, and do something with them.

[Guest FirefoxRocks]

So if I have a file like this:

<?php$x = "evil";echo "<!DOCTYPE html>";?>

Let's say that the file was located at http://example.com/h.php.If someone from http://example.org/ (different domain) did this:

<?phpinclude_once("http://example.com/h.php");echo $x;?>

You're saying that the result would be:

<!DOCTYPE html>

But not:

<!DOCTYPE html>evil

Is that correct?

[boen_robot]

So if I have a file like this:

<?php$x = "evil";echo "<!DOCTYPE html>";?>

Let's say that the file was located at http://example.com/h.php.If someone from http://example.org/ (different domain) did this:

<?phpinclude_once("http://example.com/h.php");echo $x;?>

You're saying that the result would be:

<!DOCTYPE html>

But not:

<!DOCTYPE html>evil

Is that correct?

Exactly.

[Ingolme]

That's the reason I edited my first post. The PHP is parsed on your server and they only get whatever is output. If you want to protect the output information of the file, just make the file check for a variable defined outside of it.

[Guest FirefoxRocks]

Oh so they can't access the values of variables or constants defined in the include file then.But if I include the file locally (on the same server/domain), then the variables are carried on then.

[justsomeguy]

Yeah, because you're including the code instead of the output of the code. When you include any file over http it includes the output of the code, not the code itself.