Protect .inc files?

@smith_nortonSep 03.2006

I am a PHP n00b, so please excuse me if my questions are too silly.

Let’s say I want to maintain security through obscurity. I want to keep some include files, say, “header.inc” and “footer.inc” and include these files in all the pages. But I don’t want the viewer to see the contents of the “header.inc” and “footer.inc” even if they try to access the files directly. What should I do to protect these files from being accessed by users.

Another question, what’s the difference between include(“footer.inc”), include(‘footer.inc’) and include ‘footer.inc’ ?

Thanks in advance!

to post a comment

PHP

6 Comments(s) _↴

@NogDogSep 03.2006 — #I am a PHP n00b, so please excuse me if my questions are too silly.

Let's say I want to maintain security through obscurity. I want to keep some include files, say, "header.inc" and "footer.inc" and include these files in all the pages. But I don't want the viewer to see the contents of the "header.inc" and "footer.inc" even if they try to access the files directly. What should I do to protect these files from being accessed by users.
[/quote]
You can store the files in a directory which is not under the web document root directory.

Another question, what's the difference between include("footer.inc"), include('footer.inc') and include 'footer.inc' ?
[/quote]
Bascially, there is no difference. In your example, using double-quotes or single-quotes will have no functional difference (but see http://www.php.net/manual/en/language.types.string.php for details on the different ways to quote string literals and how they differ). The parentheses are optional, because [b]include[/b] is a special language construct and not a function. However, see http://www.php.net/include for details should you want to use the return value of an include for any reason.

@DJsACSep 03.2006 — #optionally you could put the entire contents of the include.inc file in a variable.

That way, if someone were to find the include.inc file, and open it in the browser the page would remain blank because the string is not being echo'ed.

include.inc:

[CODE]
 <?php
 $content = "
 <hr> blablabla <font size="-1"> sensitive data </font> blabla
 be sure to remember to escape " with a slash to avoid errors.
 "; ?>[/CODE]

or use the other format and avoid escaping everything:

[CODE]
 <?php
 $content = <<<ENDINCLUDEDATA
 This uses the "here document" syntax to output
 multiple lines with $variable interpolation. Note
 that the here document terminator must appear on a
 line with just a semicolon. no extra whitespace!
 ENDINCLUDEDATA; ?>[/CODE]

and in the page that has the include, change from:

[code=php]
 include('include.inc');
 //to
 include('include.inc');
 echo $content;
 [/code]

@CharlesSep 03.2006 — #If you're using an Apache server and .htaccess is enabled:

&lt;Files *.in?&gt;
 order allow,deny
 deny from all
 &lt;/Files&gt;

I use ".ini" files for things like e-mail addresses so I like to hide them as well.

@bokehSep 04.2006 — #you could put the entire contents of the include.inc file in a variable. That way, if someone were to find the include.inc file, and open it in the browser the page would remain blank because the string is not being echo'ed.[/QUOTE]This is bogus. By default a .inc file would be served as is, without being parsed. It is only its inclusion into a PHP script that causes it to be parsed but if it is called directly it will just dump its contents straight to screen, no matter what that content might be. Either store the file outside document root or give it a php extension.

@chazzySep 04.2006 — #another thing to consider is having security in the inc files directly

[code=php]
 $activePage = $_SERVER['PHP_SELF'];
 if($activePage == "your include page's name"){
 die("Illegal access");
 }
 else{
 //whatever should be on the inc page.
 }
 [/code]

@felgallSep 04.2006 — #You need to add a .php suffix to the .inc files if you want them parsed for PHP when standalone. Better to put them somewhere that they can't be separately accessed though.

Also in #PHP _↴

Can someone help me out (there's money in it!)?Architecture for script to send emails at certain times of the day (times in db)Insert message body through HTML form

Success!

Help @smith_norton spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

Protect .inc files?

6 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Protect .inc files?

6 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

6 Comments(s) _↴

Also in #PHP _↴