Welcome, guest | Sign In | My Account | Store | Cart

Protect PHP File that must be include (PHP recipe) by imam ferianto
ActiveState Code (http://code.activestate.com/recipes/207176/)

This Section is describe how we can protect php module that can calling in with include function, but is not secure and its have big risk. For the solution is we can make this module file cannot execute or calling when it's not include, the code simple with test file name. Some study case: we hosting in sites that we cannot protection in dir, regulary we add .htacces in folder /inc/ I was putin .htacces so if we calling http://localhost/inc/ is displayed forbidden but if I try if we calling http://localhost/inc/connect-module.php it will be succesfull and maybe some accident will happen here

PHP, 11 lines
Download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<?
### filename: connect-module.php
### this file cannot execute if we are not calling by include function
### by pass section, must be place berfore do anything (on top line)
if(eregi("connect-module.php",$PHP_SELF)) exit(); 


### your code begin below
###............

?>
Tags: security

5 comments

François Lécolier 20 years, 2 months ago  # | flag

Using "Files" Apache directive makes this easier. Warning: This comment may only interest you if your PHP code is running on your own Apache server

To avoid including code in all your PHP incudes, you may add a suffix your include file names, and then tell Apache to deny access to files having this suffix.

I use a '.inc.php' suffix for my include files and have the following lines in the Apache configuration file (eg httpd.conf or apache.conf) :

<Files ~ ".inc.php$">

Order allow,deny

Deny from all

</Files>

Derek Harmel 18 years, 11 months ago  # | flag

A More Generic Approach. Another solution for preventing access to include files that would not have to be changed on a page-to-page basis is the following:

if( basename( __FILE__ ) == basename( $_SERVER['PHP_SELF ) )
{
  exit();
}
Derek Harmel 18 years, 11 months ago  # | flag

A More Generic Approach. Another solution for preventing access to include files that would not have to be changed on a page-to-page basis is the following:

if( basename( __FILE__ ) == basename( $_SERVER['PHP_SELF'] ) )
{
  exit();
}
Antti Pikkarainen 17 years, 7 months ago  # | flag

Another quick method.. Universal check whether file is included or requested via HTTP GET: Or to put it another way: if HTTP_GET contains CURRENT_FILE_NAME exit;

if(eregi($_SERVER["SCRIPT_NAME"], $_SERVER["REQUEST_URI"]))
exit;

Seems fool proof to me...?

Eddie Monge 15 years, 8 months ago  # | flag

Or another way, if your server supports it, is to have your includes above the webroot directory. So if pages are server from /var/www/htdocs, then have your includes be located in /var/www. This way there isn't a way to access those files.

Created by imam ferianto on Tue, 24 Jun 2003 (MIT)
PHP recipes (51)
imam ferianto's recipes (8)

Required Modules

  • (none specified)

Other Information and Tasks