Jump to content

Protecting Include Files


Guest FirefoxRocks
 Share

Recommended Posts

Guest FirefoxRocks

Is this a secure method of protecting files that I include (require):

<?php  if ('included-file.php' === basename($_SERVER['SCRIPT_FILENAME']))	 die ('<h2>Direct File Access Prohibited</h2>');?>

I can also use .htaccess in the includes/ directory.If this isn't secure, what are some methods that I can use considering that I can only place files in the public_html (htdocs) folder?

Link to comment
Share on other sites

Guest FirefoxRocks

The purpose is to block people from including that file from other sites/servers...so:This is how I would include the file:

<?php include_once("includes/someFile.php"); ?>

But other people would need to do this:

<?php include_once("http://example.net/includes/someFile.php"); ?>

Is the code above going to protect from this?

Edited by FirefoxRocks
Link to comment
Share on other sites

I'd check for the HTTP_HOST instead:

if($_SERVER['HTTP_HOST'] != "mydomain.com")  die ('<h2>Direct File Access Prohibited</h2>');

EDIT:Actually, that wouldn't work, since the script would only run on your server anyways.

Edited by Ingolme
Link to comment
Share on other sites

Guest FirefoxRocks

So I'm assuming the code I wrote above, .htaccess and the variable check is the strongest defence against unauthorized file including?

Link to comment
Share on other sites

You can modify the file permissions so that only the owner can read it and execute it.The method you showed here does work and it requires nothing else in order to be protected.

<?phpif ($ping != "pong") {	 exit('<h2>You cannot access this file directly!</h2>');}?>

<?php   $ping = "pong";	include_once("include_file.php");?>

Link to comment
Share on other sites

By the way, it is not possible to include (i.e. include()) files from remote servers as the request would have to be served over HTTP, and the server's HTTP daemon would therefore have processed the file before it is sent. Though they still can call file_get_contents().

Link to comment
Share on other sites

Guest FirefoxRocks
By the way, it is not possible to include (i.e. include()) files from remote servers as the request would have to be served over HTTP, and the server's HTTP daemon would therefore have processed the file before it is sent. Though they still can call file_get_contents().
What about this?
  <?php/* This example assumes that www.example.com is configured to parse .php* files and not .txt files. Also, 'Works' here means that the variables* $foo and $bar are available within the included file. */// Won't work; file.txt wasn't handled by www.example.com as PHPinclude 'http://www.example.com/file.txt?foo=1&bar=2';// Won't work; looks for a file named 'file.php?foo=1&bar=2' on the local filesystem.include 'file.php?foo=1&bar=2';// Works.include 'http://www.example.com/file.php?foo=1&bar=2';$foo = 1;$bar = 2;include 'file.txt';  // Works.include 'file.php';  // Works.?>

Link to comment
Share on other sites

You've been asking some pretty interesting questions lately...Let me try to describe it like that: "include" reads the content of a file as a PHP code to be executed. file_get_contents() reads the file's content as plain text.Not using "http://" means the content will be looked on the file system. Using "http://" means that the content will be looked over the "http://" scheme.The empasis on "content" is REALLY important. Try to fetch one of your own files via HTTP with your browser. You know, like:

http://example.com/file.php

(assuming you own "exaple.com", and that "file.php" is supposed to be included in PHP scripts)Now click "View source"... what do you see? "Nothing" I suppose? Well, whatever you see, THAT is what PHP will try to parse as PHP code if you or anyone include it with "http://". And your files can't be reached by someone else without the "http://" scheme. Therefore, you need not worry that someone is going to include your PHP files, and do something with them.

Edited by boen_robot
Link to comment
Share on other sites

Guest FirefoxRocks

So if I have a file like this:

<?php$x = "evil";echo "<!DOCTYPE html>";?>

Let's say that the file was located at http://example.com/h.php.If someone from http://example.org/ (different domain) did this:

<?phpinclude_once("http://example.com/h.php");echo $x;?>

You're saying that the result would be:

<!DOCTYPE html>

But not:

<!DOCTYPE html>evil

Is that correct?

Edited by FirefoxRocks
Link to comment
Share on other sites

So if I have a file like this:
<?php$x = "evil";echo "<!DOCTYPE html>";?>

Let's say that the file was located at http://example.com/h.php.If someone from http://example.org/ (different domain) did this:

<?phpinclude_once("http://example.com/h.php");echo $x;?>

You're saying that the result would be:

<!DOCTYPE html>

But not:

<!DOCTYPE html>evil

Is that correct?

Exactly.
Link to comment
Share on other sites

That's the reason I edited my first post. The PHP is parsed on your server and they only get whatever is output. If you want to protect the output information of the file, just make the file check for a variable defined outside of it.

Link to comment
Share on other sites

Guest FirefoxRocks

Oh so they can't access the values of variables or constants defined in the include file then.But if I include the file locally (on the same server/domain), then the variables are carried on then.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...