Posted by James Beilby on 03/06/06 20:12

Hello people,

It's been a long time since I've asked any techie questions on Usenet but I
am under pressure to finish a project and the following issue has me
stumped. I appreciate that it's a bit long-winded but I'd be much obliged if
anyone could shed any light...

I am currently developing a PHP-based site for a client on IIS. It might be
worth pointing out here that, from a Linux background, I am no expert on IIS
or NTFS permissions.

The site includes an /admin/ folder that I wish to secure with a password.
The contents of this folder includes non-web files that I wish to protect,
so application-level password protection implemented in PHP is not suitable.
To secure the folder at the IIS/NTFS level, I enabled a "WWW Password" in a
web control panel (HCPanel) for the admin folder. Am I right in thinking
that this would probably create an IUSR account on the server, and modify
the admin folder's ACL to restrict access to this account only?

Anyway, this works great for static content and some PHP files, but I have
come across the following issue...

When a PHP file in the protected area (e.g. /admin/index.php) tries to
include() or require() a PHP file outside that protected area (e.g.
/include/config.php), an error occurs:

Warning: main(../include/config.php) [function.main]: failed to create
stream: No such file or directory in
c:\websites\clientusername\clientdomain.com\admin\index.php on line 3
Fatal error: main() [function.main]: Failed opening required
'../include/config.php' (include_path='.;c:\php4\pear') in
c:\websites\clientusername\clientdomain.com\admin\index.php on line 3

This occurs only when the admin area is protected; removing the protection
allows the script to run normally. Changing '../include/config.php' to an
absolute path changes the first error to a "Permission Denied" warning.

To me, it's logical that /include/config.php might not be able to include
/admin/index.php as it does not have permissions, but why does the
'priviledged' user /admin/index.php not have access to /include/config.php?

I recognise that there are ways to work around this e.g. creating a copy of
the included files under the admin folder, or resorting to application-level
password protection, but I'd hope that there is a more elegant resolution.

Many thanks,

James Beilby

• Next in forum: Re: Factory pressed dvd movies, ps2, psp & xbox backups for sale !!!
• Prev in forum: Looking for image upload / retrieval app
• Thread view: PHP and IIS permissions

[Reply to this message]