Re: Deny processing of non included files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Easy answer: deny access to them. Use your web server to prevent execution of the files. Generally, if you're using Apache, you can just do this: 

<Directory /path/to/modules/>
   Order Allow,Deny
   Deny From All
</Directory>

You may also be able to do that from a .htaccess file.
If you can't configure the server, just use a define at the top of your index script: 

define('__INDEX_PHP',TRUE);
Then just check it with a one-liner at the top of each script that is for inclusion only. 

Tim wrote:

1. My included files "assume" the top file has initiated an instance of an
certain object thus being able to use the resources of the instanced objects
in the top file..(obviously i have the necessary checks to make sure the
instance has been created before including the file)
-Should i be initializing new instances of the object at the top of each
included file to prevent errors from appearing incase someone access the
file directly? Or should i believe it doesn't really matter as in a
production environment display_errors is set to off so no error output will
be shown...
I don't think you ever want include files to be executed in the wrong context. Just deny access.
If anything, just make an index.php page in each module dir that contains only "Thanks for visiting this page, but the link you followed is probably mistyped. Try <a href=\"$document_root\">this</a> instead." 
2. what is the assesed security risk if someone access a file directly even
if it does not output anything?
Depends on what the file contains. If it contains this: "`sudo rm -r $directory/*`", then the results could be disastrous, but let's hope that it wouldn't contain code like that. :-) 
3. is their a way to check that a file has been included by such and such
file or should i develop a hash system where the top page that includes
files generates a hash, stores it in the db for the length of the script and
in a variable, and have the included file check that the variable from the
top file and the hash in the db correspond?
See above "define(...)" bit, which is really based on the old C header trick: 

#ifndef __SOME_FILE_H
#define __SOME_FILE_H

<a bunch of stuff>

#endif

jon

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux