On Tue, 17 Aug 2004 10:42:50 -0400, Gryffyn, Trevor wrote:
Hi Trevor.
a short note ...
>Maybe not the most elegant, but I like to keep my stuff kind of modular
>so what I've done is just create an "includes" folder in the root and
>them reference it as include("../includes/includename.inc") from the
>scripts that are all in their own folders (by project).
I usually use this method as well ... and also do the following:
(a) in all files I assign a variable $rootdir so in case a file or a
folder moves later on, I only need to adjust the variable and all
other links don't need to be changed, this variable simply sets the
parth from the file to the root (e.g. $rootdir="../../" or whatever
it is depending on the location of the file)
>This may not be the best as far as security is concerned since it's easy
>to guess at "/includes" existence and some include files might contain
>information that could be useful to a would-be hacker, but I'm working
>on an internal environment anyway so it's not so critical for me.
(b) instead of using " .inc " as ending for the include files, I use
".inc.php" so that they won't display as plain text if called up in a
browser directly. This avoids the security problem as the files are
then regarded as php files and are "interpreted" rather than just
displayed as plain text...
>Although, thinking about it, if you have access to a folder above where
>your website lives, you could do something like this:
>
>$dir = dirname($_SERVER["PATH_TRANSLATED"]) . "/../includes/";
>include($dir ."includefile.inc");
>
>That'd give you the "c:\foldername\" full path of the currently
>executing script, then go up a level (parent folder) then back down to
>an includes folder. Add more ".." to go further. As long as
>permissions are proper for accessing that folder, that'd probably work.
Seems, like in this case the folder with the sensitive include info
is again inside the website folders ? If one has access to a folder
above the website root, php can access those in that location even
though a browser can't ...
Files with real sensitive information (database login, password info,
etc) into a folder "outside" (one level above) are outside the
websites root folder, a browser cannot access them directly as it
can't go outside the assigned website root, but a php script could by
using something like
include("../" . $rootdir . "secretinfo.inc.php");
Anyone have further ideas to improve on this ?
Have a great weekend
Wolfgang
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
