How can I protect my included php files from direct access?_问答_开发者

How can I protect my included php files from direct access?

开发者 https://www.devze.com 2023-02-28 23:15 出处：网络

My script... index.php DEFINE(\'DIR\', \'http://www.example.com\'); DEFINE(\'IN_PAGE\', TRUE); INCLUDE DIR . (\'/incl/header.php\');

相关专题：include php

My script...

index.php

DEFINE('DIR', 'http://www.example.com');
DEFINE('IN_PAGE', TRUE);

INCLUDE DIR . ('/incl/header.php');
INCLUDE DIR . ('/incl/content.php');
INCLUDE DIR . ('/incl/footer.php');

/incl/header.php

if (!defined('IN_PAGE'))
{
    header("Status: 403 Forbidden");
    exit('<B>403 Forbidden</B>');
}

Visiting index.php

Warning: include(http://www.example.com/incl/header.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /public_html/incl/index-incl.php on line 4

Warning: include() [function.include]: Failed opening 'http开发者_如何学Python://www.example.com/incl/header.php' for inclusion (include_path='.:/usr/lib64/php:/usr/lib/php') in /public_html/incl/index-incl.php on line 4

It works kinda, if I try accessing the file directly I get "Forbidden" message like I wanted.. But I can't include it in my script.. even though I'm pretty sure I followed phpBB's dev wiki correctly.

I'm pretty damn novice, so your help is greatly appreciated! =]

Go for use of htaccess

The ideal way would be to place your include files outside of the webroot.

This is not always possible so make sure your include files don't 'run' any code by themselves. Adopt an Object Oriented approach where either a file contains runnable code, or it's a class file that doesn't do anything by itself.

Another alternative would be to change the extensions of your include files (to .inc for instance) and deny these from direct access with htaccess.

As a pro-tip: when you're including files always include with an absolute path:

include(dirname(__FILE__) . "/includes/template.inc");
// __FILE__ is the diskpath of the current file

and not:

include("includes/template.inc");

This will save you many headaches.

And as the other guys said, never include files from another webserver (http://), this means you're doing something fundamentally wrong :P

You are trying to include like INCLUDE ('http://www.example.com/incl/header.php'); basically

Change the dir to DEFINE('DIR', dirname(__FILE__));

Or something similar so it's not using a domain in the include path which then means the include is done locally.

you tries to include a remote file DEFINE('DIR', 'http://www.example.com'); so your server actually calls the url, gets the error and shows it use relative path eg. DEFINE('DIR', '/'); instead

Your problem is, include uses the local path of files, not the urls. You need to know what is the root path of your files in your account, like /home/your_account/public_html/