SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Next Door
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to protect PHP includes?

    Hello, I'm new to PHP and trying to figure out how to protect PHP include files. I've searched google and got one solution which needs to edit php config to make those files with certain extensions inaccessible. But is there a way to protect these include files without editing php configuration? like making a function so the includes can only be called by php scripts.

    Any information would be greatly appreciated.

  2. #2
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    What you can do is this. In your top-level scripts, you define a constant with a name of your choice. Then you put a little piece of code in the scripts that is included that will check if the constant exists or not. If it do, the script was included. If not, display an error message and stop the execution of the script.

    Yours, Erik.

  3. #3
    SitePoint Guru worchyld's Avatar
    Join Date
    Jul 2003
    Location
    Newcastle upon Tyne
    Posts
    909
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Put the includes into an "includes/" directory, then put a .htaccess file into the directory with the following statement;

    Code:
    Order deny,allow 
    Deny from all

  4. #4
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    worchyld, that is a really smooth solution. Unfortunately, not everyone has the possibility to use .htaccess files. In those cases, my solution can be used.

    Yours, Erik.

  5. #5
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    u can just use sessions to protect the files. example...
    file blah.php
    PHP Code:
    <?php
    session_start
    ();
    if(!
    $_SESSION["logged"]) {
    echo 
    "You cant view this file!";
    } else {
    include_once(
    "dir/blahblah.php");
    }
    ?>
    now into the dir folder file put at the top..
    file blahblah.php
    PHP Code:
    <?php
    if (strstr($_SERVER["PHP_SELF"], "/dir/")) die ("You are not allowed to view this file!");
    //rest of the code
    ?>
    cheers

  6. #6
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Next Door
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for the info guys

    @lilleman, since I'm new to php, it's a bit hard for me to make it myself. I know what you talking about, but I'm not quite clear about the details. so could you please write a brief code? thank you

    @worchyld, yes, I already put them in includes/ and also a .htaccess. But does that only work for linux server? if so, what if I'm doing this under windows? please correct me if I'm wrong.

  7. #7
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Next Door
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by reminder
    u can just use sessions to protect the files. example...
    owo, that is quick, ok I'll try that now. thanks

  8. #8
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Quote Originally Posted by undefined
    @lilleman, since I'm new to php, it's a bit hard for me to make it myself. I know what you talking about, but I'm not quite clear about the details. so could you please write a brief code? thank you
    A top-level script ...

    PHP Code:
    <?php

    define
    ('ALLOW_INC'true);
    include 
    'script.php';

    ?>
    ... and then the included file.

    PHP Code:
    <?php

    if(!defined('ALLOW_INC'))
      die(
    'access denied');

    // the rest of your script

    ?>
    Yours, Erik.

  9. #9
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    dont forget to enable seesion logged into your login script!
    example
    PHP Code:
    function login() {
    $username $_POST["username"];
    $pass $_POST["password"];
    $query mysql_query("SELECT *
                          FROM users
                          WHERE username = '
    $username'
                          AND password = '
    $pass'");
    $row mysql_num_rows($query);
    if(
    $row 0) {
    $_SESSION["logged"] = 1;
    } else {
    echo 
    "Invalid username or password!";
    }
    mysql_free_result($query);
    }

    function 
    logout() {
    $_SESSION["logged"] = 0;


  10. #10
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I think that using sessions to solve such a simple problem is a little bit overkill.

    Yours, Erik.

  11. #11
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sure!
    explain this to the begginer
    PHP Code:
    <?php

    define
    ('ALLOW_INC'true);
    include 
    'script.php';

    ?>

  12. #12
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I think that my code is much more easier for a beginner to understand than your code. What my code does is to define a constant called ALLOW_INC. In script.php we check to see if the constant ALLOW_INC is defined or not using the function defined. If the constant is not found, the execution of the script is terminated and an error message with the text "access denied" is displayed.

    Yours, Erik.

  13. #13
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Next Door
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    uhmmm... you guys are nice

    @reminder, your second post is just bible, for me. I haven't yet got into sql. I tried your first post, says undefined var "logged".
    so I just have this line in index.php
    include "includes/inc.php"
    and this line in inc.php
    if (strstr($_SERVER["PHP_SELF"], "/includes/")) die ("You are not allowed to view this file!");
    and that works. For now, I just don't want the include files to be viewed directly. It doesn't involve any usernames or passwords... Is that ok?

    @lilleman, that seems easier for me. I will try it, thanks.

  14. #14
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    tell me something....
    if i have...
    PHP Code:
    define("ALLOW_INC"true); 
    so why in the include file
    PHP Code:
    if(!defined("ALLOW_INC")) { // sorry..ok now

    so better directly this into the include file
    PHP Code:
     if (strstr($_SERVER["PHP_SELF"], "/includes/")) die ("You are not allowed to view this file!"); 
    another thing.. i set sessions just for view the file or not if u r logged or not!

  15. #15
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    In the second file, you should use the function defined (not define) to check if the constant exists. If it doesn't, the file was not included.

    Yours, Erik.

  16. #16
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so i have to open my script and change the definition to allow the file be viewed every time i want it?
    is that many complex?

  17. #17
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Well, you should use a .htaccess file (see the post by worchyld in this thread) if you can. If not, my solution is one of the easiest ways (at least I think it is) to protect your include files from being viewed directly in the browser.

    Yours, Erik.

  18. #18
    SitePoint Wizard
    Join Date
    Mar 2004
    Posts
    1,647
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so we come to my script couse if u want enable or disable the definition u have to use sessions on login!
    allow includes is an apsolute constant which is used for intranet security not for a simply user website!

  19. #19
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Of course you can use it on a small website. The piece of code I wrote does not have anything to do with user authentication, it is used to make sure that scripts that should be included cannot be accessed directly through a browser.

    Yours, Erik.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •