Protecting my includes directory with htaccess. Any potential problems doing this?

I am developing a backend for my site and I have put all of my forms for doing sql queries in includes/forms
My index & edit pages e.t.c. require login using the following code:

          header('Location: login.php');

However, I can’t put this code in my forms because it will throw an error for re-declaration, so I just put a .htaccess in the includes directory with deny from all.
So far, its doing exactly what I want, the forms include in my pages & everything works and if I use my browser to navigate to the includes/forms directory or any of the files inside it, I get a forbidden message. Great!

Is this a common way to protect such files, or might this lead to any problems that I haven’t thought of?

afaik: if you use user/pw on that folder, ppl will be asked to login - even if the including page is NOT protected…
if you simply do something like
*.php deny all, it “should” work…
but I speak from memory - not tested recently…


if you want to use your qoted code, you need to buffer the output

on top of page make ob_start()
on bottom ob_end()

afaik you can redirect between those cpmmands with header…
you can even start a session in between because no output-stream is opened until the ob_end() or ob_flush()

Ok thanks, I’m not sure how to password protect the directory itself with php, I only know how to protect the file.

I used straight deny all with .htaccess, no access to anything in that folder and my pages still include the files ok. I just tried to remotely include the form and that doesn’t work, so it seems pretty secure, but I guess maybe I should look up how to protect directories with the same login.

no better not - for the include purpose, the password is the “no go”…
why it works with deny all and not with pw is that user/pw is I guess because it’s a http action - after the output stream was opened - the “deny all” obviousely also applies to http-type access to this folder…
php-including happens - so to speak - on a layer above - so it is not affected by htaccess-rules
I guess we could say it that way: Apache reads the htaccess - not php!

the password user thing was just a problem I encountered once in the past, so I wanted to inform you about that possible problem


Ah ok, that’s a new lesson for me!

Thanks for this Hensel :slight_smile: