3

First of all, I'm pretty sure a similar question will be on Stack Overflow, but I didn't really find it. Probably because I am using the wrong keywords. So don't shoot me because of that.

What my question basically is, I want to include php files, but I only want them to be included and not for people to be opened with their browser. They should get an error.

For example I have an includes directory with a php file which contains my connection to a DB (password etc.. dangerous?) . I want to be able to include it, but I don't want people to directly visit the page.

Will putting a password on the includes directory with htaccess fix my problem? First I thought it wouldn't, because it would be weird that pages can be included for users that don't have access to it. But it seems to work, how does this come? Is there an other better option ? What do web developers usual do?

And also can I do something similar for javascript files? My guess is that this won't be the case, but I'm just asking. The js file contains ajax calls to certain pages, but I guess I'm happy if I can protect the php pages from visiting.

Anyway thanks in advance :)

Anonymous
  • 584
  • 3
  • 15
  • 1
    As long as you have php installed and apache configured correctly, someone visiting any .php will only see what you echo out – Sam Dufel Jun 06 '12 at 23:02
  • As a note, why are you worried about people seeing the contents of your PHP files? Even *if* they try to download them through the browser, all they'd get is the OUTPUT of those scripts (i. e. anythign you 'echo'). – RonLugge Jun 06 '12 at 23:02
  • There is absolutely no way they can see the contents of the php file if I don't echo it? I was not 100% sure of that. And basically I prefer an error above a white page I guess. – Anonymous Jun 06 '12 at 23:18
  • @gl3nn - an error message is preferable to a white page when you're on a dev system. When you're on a live website, it's better to have a white screen, to avoid giving away security details about the site. The errors are still recorded in the log. – Spudley Jun 07 '12 at 18:39

5 Answers5

9

I think explaining how the pieces work together will help clear up the confusion.

A request comes in (from the user's web browser). Your web server (in this example, Apache) receives this. First, it checks the <Location> permissions. Then it looks through the rest of the configuration, and eventually maps the request URI to the filesystem. Now, finally, it can check <Directory> permissions as well as .htaccess.

If any of those permission checks fails (e.g., deny from all), Apache stops processing the request, and sends back an error (or request for username & password in the case of HTTP Basic authentication).

Once all the permission checks pass, Apache looks at the file, and notices that its a .php file. Somewhere in your (or your web host's) Apache config, there is an AddHandler directive that tells Apache to pass this request on to the PHP engine (which could be mod_php, or via fast cgi). (For most files, it instead sends the contents of the file to the browser. But script files are special, because of that AddHandler.)

Now, PHP reads your script file. It then also reads your include files directly. This doesn't go back through Apache, so things like .htaccess do not apply. It also means that your PHP includes do not need to be in your document root. They can be anywhere that the PHP process can access (based on UNIX permissions and PHP configuration). Setting an include_dir in your php.ini makes it easy to put these wherever.

Client-side JavaScript is run by the user's browser. It isn't interpreted server-side (like PHP is). So the user must be able to access it, just like the user must be able to access your .html files.

So, in short:

  • You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all.
  • You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).
derobert
  • 47,899
  • 11
  • 91
  • 122
  • I understand everything except the and permissions part. If they have nothing to do with the htaccess ( since this is the next step ) where do they come from? How can they be edited? (Not that I will do this, but I'm curious where they are defined. ) – Anonymous Jun 06 '12 at 23:33
  • @gl3nn They're in the main Apache config (in /etc/apache or /etc/apache2, typically, on Linux at least). If you're on a shared-hosting setup, you may be allowed to make some changes in your VHost config. – derobert Jun 07 '12 at 17:30
  • Is it possible that other people include a php file with functions in it from my website into their php file, and then call functions from it ? – Anonymous Jun 09 '12 at 16:13
  • @gl3nn If they have read access to your files, then they could. Hopefully, your host doesn't allow this, at least not by default. – derobert Jun 09 '12 at 23:53
  • Read access, as in, they can see the php code in the file? How can I check this, and be sure it's not the case? I tried including a page from my host into a localhost file, I got a few errors, but I'm not sure yet. – Anonymous Jun 10 '12 at 21:21
  • @gl3nn If you try remote includes, that works the same as a web browser (the request goes through Apache). Someone on the *same server* may be able to use a local include, if they have OS-level read permissions. – derobert Jun 11 '12 at 14:42
3

Ideally, your PHP includes should be in a folder that is not directly accessible to the web.

eg: say your web site is in /var/www/htdocs/, then you would put index.php in there, but the includes should be in a separate folder, outside the web-accessible area. In this example, you could have a folder alongside htdocs called something like /var/www/includes/, where the PHP includes would live.

This way they are completely protected from unwanted direct web access.

In addition, you should write your PHP code such that an include file only contains classes or functions. This means that if it is accessed somehow from the web, nothing will happen: PHP will load all the functions, but won't run any of them, so the user will just see a blank page.

If another page wants to include that file, it would need to to the include, and then also call the function(s) inside it; you shouldn't have an include that runs code immediately.

You should only write PHP code that runs immediately on the pages that are intended for direct user access, such as index.php.

Hope that helps.

Spudley
  • 161,975
  • 39
  • 229
  • 303
  • If I put the files beneath the root, is it still really necessary to make functions of all my includes then? Seems smart for my next project, but editing everything now looks like a long work. +1 for you. – Anonymous Jun 06 '12 at 23:27
  • @gl3nn - yep, moving the files out of the web accessible area will protect them in that respect. Writing code in functions as described is good programming practice in general, but if you've already got things written, just putting them in a safe location will be sufficient. – Spudley Jun 07 '12 at 18:37
  • Moving include files outside the web-accessible directories works, but conflicts with using "php_value open_basedir ..." to restrict Include access for better security. It may also require changing uploading files to a server. The next answer, testing whether an include file is actually included, is probably a bit better. – David Spector Jan 08 '20 at 14:30
2

You do have the option of doing this without using .htaccess (not saying it's a better solution, just a different one).

In files you wish the user to access directly, put the following before any includes:

@define('IN_APPLICATION', true);
require 'file.class.php'; //sample include

Then in the includes (class files), put the following code right at the top:

if (!defined('IN_APPLICATION')){
    die(header('HTTP/1.0 404 Not Found')); //or just die();
}

This will ensure that the class files are only accessible when included by a file (front end) that defines IN_APPLICATION. You could alternatively just kill the class file with a die() by itself rather than faking a 404.

Mansfield
  • 13,629
  • 18
  • 77
  • 111
  • Nice, but you don't have to define a constant. You can use "if (!function_exists('NAME'))" to detect whether the file is being included by a php file that includes the definition of a given function. – David Spector Jan 08 '20 at 14:25
1

Make a .htaccess file in your includes directory

deny from all

Can't be done for client-side scripts because the browser must be able to access them. The best you can do is obfuscate them.

Community
  • 1
  • 1
Cameron Martin
  • 5,902
  • 2
  • 37
  • 52
0

Hmm, as already mentioned, htaccess will not prevent php from accessing htpassword secured folders. Consequently, Apache has to be invoked in order to use it's security features which are quite secure, at least with https IMHO, eg: 

header('Location: secret/index.php');

Where the folder secret is secured with htaccess.

index.php might look like this:

<?php
$a = $_REQUEST['a'] ;
if ($a==secret)  
    header('Location: secret/index.php');    
include_once("index_head.php");
include_once("index_tail.php");
?>

And secret/index.php

<?php 
include_once("../index_head.php");
include_once("./secret.php");
include_once("../index_tail.php");
?>

The main remaining problem is now, that secret/index.php will not find any links like ./main.css etc. Therefore links have to be defined absolute not relative, but I am sure that you guys now how to do that;-)

A running example is on http://promotio.ch/secret.php/

user3267299
  • 11
  • 1