Posted by ZeldorBlat on 02/18/06 06:28

Dave Schwimmer wrote:
> samudasu wrote:
>
> > To start off with, opening a php file won't show you php code. It only
> > shows the results of the php script after it's run. ftp should be
> > password protected, no one but you will have this password.
> >
> > I've found that placing sensetive files above document_root works
> > nicely like you've mentioned. Here's how it's done:
> > /usr/local/apache/htdocs/ is the doc root.
> > Make a /usr/local/apache/incfiles/ dir to keep sensitive files, db
> > connect srcipts, user/pass info, etc. Users have no direct access to
> > these files since they're not in the doc root. Files in this dir are
> > used with the include() or require() functions. Users don't need
> > permission to this folder so there are no special permissions required.
> > The apache user (usually nobody) will access the files.
> >
> > example:
> > /usr/local/apache/htdocs/verifylogin.php is a page you can guess what
> > it does.
> > I want to include() the script
> > "/usr/local/apache/incfiles/chkpass.inc.php" in verifylogin.php that
> > connects to the db and check the clients username password.
> >
> > verifylogin.php...
> >
> > <?php
> > include'../incfiles/chkpass.inc.php';
> > ?>
> > <html>
> > <body>
> > <?php
> > if user/pass correct
> > show this
> > if user/pass failed
> > show this
> > ?>
> > </body>
> > </html>
> >
> > If you view source of verifylogin.php you'll see no php code and no
> > path / reference to /usr/local/apache/incfiles/chkpass.inc.php.
> >
>
> Thank you. This is PRECISELY the sort of information I was looking for.

Since you seem to be pretty worried about this "problem," here's how
you can take samudasu's solution one step further.

Create a file called protectInclude.php and put this in there:

<?php
if(!defined('myApp') || myApp == false)
die("You shouln't be here.");
?>

Now, at the top of any file that a web client shouldn't be able to
access directly put the following:

<?php require("protectInclude.php"); ?>

And finally, at the top of any file that /is/ a valid entry point,
put:

<?php
define('myApp', true);
?>

In this manner, even if you screw something else up, you won't get
burned.

• Next in forum: Re: fopen() Permission denied
• Prev in forum: Re: permissions and script 'visibility'
• Thread view: Re: permissions and script 'visibility'

[Reply to this message]