PHP Includes

Boxersoft · ‎25-07-2009

If I understand correctly, the general advice on files containing PHP fragments for inclusion in PHP scripts is to place them somewhere outside of the scope of the web-served directory tree. It looks to me as if the organisation of user areas on the PlusNet ccgi setup precludes that, because everywhere under user control is within the served scope. Is best practice on this platform simply to place them in a folder with browsing turned off and permissions set to prevent execution (600: -rw-------)? I'm not particularly familiar with Linux permissions so I'm not too clear about what allows/denies Apache permission to serve a file (other than, presumably, *.php and other script files would presumably be executed server-side and never have their contents delivered to a browser).

Ben_Brown · ‎13-06-2007

You could put them all in a directory (for example 'includes') and use mod_rewrite to deny access. In your cgi home directory (the one you're in when you FTP in) place a file called .htaccess containing:


RewriteEngine On
RewriteRule ^/includes/? -

This will give a 403 Forbidden error for anything in /includes (e.g. http://ccgi.username.plus.com/includes/foo.php). As the PHP include is internal to PHP it will still be able to include them.

Boxersoft · ‎25-07-2009

Excellent - thanks Ben.

Gabe · ‎29-10-2008

Must be Friday.
No leading slash in .htaccess rewrites, so just:

RewriteEngine On
RewriteRule ^includes/? -

in the home directory, or

deny from all

in the includes directory (or call them foo.inc.php anywhere and use a FilesMatch)
Gabe

Ben_Brown · ‎13-06-2007

Gah, I'm more used to writing rewrites in the server config, where you do use a leading slash. Well that's my excuse anyway

Boxersoft · ‎25-07-2009

Thanks both.

PHP Includes

PHP Includes

Re: PHP Includes

Re: PHP Includes

Re: PHP Includes

Re: PHP Includes

Re: PHP Includes