Menu
Community /Pin to ProfileBookmark
@NogDogSep 12.2014 — #You can store them completely outside of the web root directory, so that they are only available internally. (Just make sure they and their directory are readable by the apache user).
You can put them in a directory with .htaccess settings that deny access.
You can add the following as the first line of any include file:
@NogDogSep 12.2014 — #Also, note that included files can have any file name suffix you want to use, they don't have to be "*.php", in case you want to use a different suffix that you can specify in your apache config or .htaccess to deny. @NogDogSep 12.2014 — #Oh, and a last note, if your include files consist only of class and/or function definitions, then there's really no damage that can occur if they are accessed via HTTP (assuming they get processed as PHP files). @NogDogSep 12.2014 — #The simplest approach, though it does not scale well if you have lots of include files) would be to edit each of these included files:
In each, just add the couple lines of code I posted above as the very first thing in each file (other than comments):
If you want a more robust solution, you could look at .htaccess settings in that "inc" directory to prevent any access to files within it. I don't know the exact syntax for that, so I will let you Google it instead of me Googling it for you (or wait for someone else who knows that stuff better than I do to come along here. ? )@NogDogSep 12.2014 — #I don't think the "Options -Indexes" would completely stop anyone from accessing the include files, but if you create a .htaccess file in that "inc" folder, I believe all it would have to contain is:
This assumes there are absolutely no files in or below that "inc" directory that you would ever want someone to directly access via HTTP.@NogDogSep 12.2014 — #
It should not affect php includes that specify the file by its pathname, not via a URL. If you have to access the files by URL for any reason (e.g. calling it via JavaScript from a rendered page in the browser), then you cannot hide it from any HTTP access in any of these manners, since it has to in fact be accessible via HTTP. But you should never (or almost never) be doing PHP includes via a URL.
Based on your initial post, you only discussed PHP include/require commands to some PHP files in a folder called "inc". If there are other files in that folder (or one of its subfolders) that need to be accessed via HTTP, then no, you cannot just deny all from the "inc/.htaccess" file -- but then that means I really don't understand your issue, then. ?
Stop direct access to include files php
How to stop direct access to include files..
example
index.php
require_once(inc/header.php)
require_once(inc/footer.php)
require_once(inc/footer.php)
require_once(inc/validation.php)
i have a dynamic website.. and i have several files in the includes folder and i don’t want that somebody have direct access to these files,
I tried Deny from All then i am unable to get the recourses.
Help me!!1
Sign in
to post a comment12 Comments(s) ↴
0
@NogDogSep 12.2014 — #You can store them completely outside of the web root directory, so that they are only available internally. (Just make sure they and their directory are readable by the apache user).You can put them in a directory with .htaccess settings that deny access.
You can add the following as the first line of any include file:
[code=php]
<?php
if(realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME']) {
header('HTTP/1.0 404 Not Found');
exit;
}
[/code]...(which of course could be combined with the other methods just to make sure)0
@NogDogSep 12.2014 — #0
@NogDogSep 12.2014 — #0
@NogDogSep 12.2014 — #The simplest approach, though it does not scale well if you have lots of include files) would be to edit each of these included files:<i>
</i>require_once([B][COLOR="#B22222"]inc/header.php[/COLOR][/B])
require_once([B][COLOR="#B22222"]inc/footer.php[/COLOR][/B])
require_once([B][COLOR="#B22222"]inc/footer.php[/COLOR][/B])
require_once([B][COLOR="#B22222"]inc/validation.php[/COLOR][/B])
In each, just add the couple lines of code I posted above as the very first thing in each file (other than comments):
[code=php]
<?php // make sure there is no white-space of any sort before this opening tag!
if(realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME']) {
header('HTTP/1.0 404 Not Found');
exit;
}
[/code]If you want a more robust solution, you could look at .htaccess settings in that "inc" directory to prevent any access to files within it. I don't know the exact syntax for that, so I will let you Google it instead of me Googling it for you (or wait for someone else who knows that stuff better than I do to come along here. ? )
0
@NogDogSep 12.2014 — #I don't think the "Options -Indexes" would completely stop anyone from accessing the include files, but if you create a .htaccess file in that "inc" folder, I believe all it would have to contain is:<i>
</i>deny from all
This assumes there are absolutely no files in or below that "inc" directory that you would ever want someone to directly access via HTTP.
0
@NogDogSep 12.2014 — #but the problem is that if i use
"deny from all"
then my includes file does not work internally.. for example.. my javascript validation file,my php includes file and more..
its give me forbidden error[/QUOTE]
It should not affect php includes that specify the file by its pathname, not via a URL. If you have to access the files by URL for any reason (e.g. calling it via JavaScript from a rendered page in the browser), then you cannot hide it from any HTTP access in any of these manners, since it has to in fact be accessible via HTTP. But you should never (or almost never) be doing PHP includes via a URL.
Based on your initial post, you only discussed PHP include/require commands to some PHP files in a folder called "inc". If there are other files in that folder (or one of its subfolders) that need to be accessed via HTTP, then no, you cannot just deny all from the "inc/.htaccess" file -- but then that means I really don't understand your issue, then. ?