How can I prevent access to my PHP include files like header.php, footer.php and the likes?
Question
I am developing a website for myself and I just wonder how can I prevent direct access to include files like header.php and footer.php . Those files should only be incorporated in pages like index.php or other pages wherein they will be called using <?php include(''); ?> <?php include(''); ?> . Should I do it through PHP? How about editing the .htaccess file or are there any other methods?
3 answers
solution1
4 ACCPTED
- place the files(s) in a directory out side the web root.
- the web server will never serve theses files to users.
- php et.al. can still access the files via include\\require etc
- This has been the gold standard approach for several decades.
solution2
0 2015-04-17 03:00:28
I offered 3 suggestions and since you didn't provide much to go one, I will give you one elaboration.
As @Dragon eludes to, when you use include() your reading via the file system and not via a HTTP Request. You can check for an HTTP verb ($_REQUEST, $_GET, $_POST) and refuse to show content or fake a 401.
<?php
if(isset($_REQUEST) || isset($_GET) || isset($_POST)){
header("HTTP/1.0 404 Not Found");
die();
}
// Do the needed
?>
I will let you figure out the gotcha on your own here.
solution3
0
It would be perfect if your server is linux, because then what you can do is follow Dagon's suggestion of placing the files to include outside of the web root.
The web root of course is the base folder that contains files the outside world is meant to access. On many systems, this is the public_html folder.
On a system with WHM/cpanel installed, you might have a special user account where the root of that account (where anything can be stored) is located at /home/user on the entire system. This can be viewed by using the file manager utility included with cpanel when logged in. In that /home/user folder, you may find configuration files and folders starting with a period as well as public_ftp and public_html folders.
In the /home/user folder, you can place the PHP files you don't want the world to directly access. Then In public_html, (accessible within /home/user) you can place the index.php file that has the include statement to the "protected" files. That way in index.php you can use this statement:
include "../file-to-include.php";
Just make sure that the administrator has set the owner of the /home/user folder to the same username you login with or you may get access denied messages when trying to access the file. On a decent cpanel setup, the last step would have already been done for you.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.