How can I protect my included php files from direct access?

2
votes

My script...

index.php

DEFINE('DIR', 'http://www.example.com');
DEFINE('IN_PAGE', TRUE);

INCLUDE DIR . ('/incl/header.php');
INCLUDE DIR . ('/incl/content.php');
INCLUDE DIR . ('/incl/footer.php');

/incl/header.php

if (!defined('IN_PAGE'))
{
    header("Status: 403 Forbidden");
    exit('<B>403 Forbidden</B>');
}

Visiting index.php

Warning: include(http://www.example.com/incl/header.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /public_html/incl/index-incl.php on line 4

Warning: include() [function.include]: Failed opening 'http://www.example.com/incl/header.php' for inclusion (include_path='.:/usr/lib64/php:/usr/lib/php') in /public_html/incl/index-incl.php on line 4

It works kinda, if I try accessing the file directly I get "Forbidden" message like I wanted.. But I can't include it in my script.. even though I'm pretty sure I followed phpBB's dev wiki correctly.

I'm pretty damn novice, so your help is greatly appreciated! =]

5
phpinclude
The best way is to put your include files outside the document root or to configure your server not to execute scripts in the directory they're in.Matti Virkkunen
What do you mean by "I can't include it in my script"? In what way?Zirak

5 Answers

1
votes

The ideal way would be to place your include files outside of the webroot.

This is not always possible so make sure your include files don't 'run' any code by themselves. Adopt an Object Oriented approach where either a file contains runnable code, or it's a class file that doesn't do anything by itself.

Another alternative would be to change the extensions of your include files (to .inc for instance) and deny these from direct access with htaccess.

As a pro-tip: when you're including files always include with an absolute path:

include(dirname(__FILE__) . "/includes/template.inc");
// __FILE__ is the diskpath of the current file

and not:

include("includes/template.inc");

This will save you many headaches.

And as the other guys said, never include files from another webserver (http://), this means you're doing something fundamentally wrong :P

0
votes

You are trying to include like INCLUDE ('http://www.example.com/incl/header.php'); basically

Change the dir to DEFINE('DIR', dirname(__FILE__));

Or something similar so it's not using a domain in the include path which then means the include is done locally.

0
votes

you tries to include a remote file DEFINE('DIR', 'http://www.example.com'); so your server actually calls the url, gets the error and shows it use relative path eg. DEFINE('DIR', '/'); instead

0
votes

Your problem is, include uses the local path of files, not the urls. You need to know what is the root path of your files in your account, like /home/your_account/public_html/