> -----Message d'origine----- > De : Jon Anderson [mailto:jon@xxxxxxxxxxxxxxxxxx] > Envoyé : jeudi 15 février 2007 17:11 > À : Tim > Cc : 'php-general' > Objet : Re: Deny processing of non included files > > Easy answer: deny access to them. Use your web server to > prevent execution of the files. Generally, if you're using > Apache, you can just do this: > > <Directory /path/to/modules/> > Order Allow,Deny > Deny From All > </Directory> Great i'll go the .htaccess way i don't need any files accesible through the browser other then http://thissite/index.php and http://thissite/admin/index.php. > You may also be able to do that from a .htaccess file. > > If you can't configure the server, just use a define at the > top of your index script: > > define('__INDEX_PHP',TRUE); > > Then just check it with a one-liner at the top of each script > that is for inclusion only. > > Tim wrote: > > 1. My included files "assume" the top file has initiated an > instance > > of an certain object thus being able to use the resources of the > > instanced objects in the top file..(obviously i have the necessary > > checks to make sure the instance has been created before > including the > > file) -Should i be initializing new instances of the object > at the top > > of each included file to prevent errors from appearing > incase someone > > access the file directly? Or should i believe it doesn't > really matter > > as in a production environment display_errors is set to off so no > > error output will be shown... > > > I don't think you ever want include files to be executed in > the wrong context. Just deny access. Sure that's what i thought but couldn't get it to work you put me on the right track with the "directory" directive. > If anything, just make an index.php page in each module dir > that contains only "Thanks for visiting this page, but the > link you followed is probably mistyped. Try <a > href=\"$document_root\">this</a> instead." Well i do have a blank index.html in ALL directories to stop directory listing.. > > 2. what is the assesed security risk if someone access a > file directly > > even if it does not output anything? > > > Depends on what the file contains. If it contains this: > "`sudo rm -r $directory/*`", then the results could be > disastrous, but let's hope that it wouldn't contain code like > that. :-) > > 3. is their a way to check that a file has been included by > such and > > such file or should i develop a hash system where the top page that > > includes files generates a hash, stores it in the db for > the length of > > the script and in a variable, and have the included file check that > > the variable from the top file and the hash in the db correspond? > See above "define(...)" bit, which is really based on the old C header > trick: > > #ifndef __SOME_FILE_H > #define __SOME_FILE_H > > <a bunch of stuff> > > #endif Ok lets just deny access :) Thanks a bunch ;) Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
