PHP - Include Protection

luiz_itape · 02-16-2006, 04:28 AM

Include Protection

Using includes in PHP to simplify life? Don't want your visitors to access them and receive errors or partial content? The solution is simple enough, though many people don't worry or don't consider it as a "threat".
????: NamePros.com http://www.namepros.com/webmaster-tutorials/168063-php-include-protection.html
There are a few reasons you wouldn't want someone to go through directories trying to access your include files. Whatever yours might be, there's an easy way to prevent it.
On your index file, you have it generate a variable.

Code:

<?php
$include_lock = "unlocked";
?>

So we now have some code that generates a variable, '$include_lock' with the value 'unlocked'. Why are we doing this? Well, since you only want them to access the page through the index, we'll make a lock and key so that only going through the index file gives them the key.
With the code above, we need to now put something on the page that actually performs as the lock. It's simple enough, we'll just use a nice, clean if statement.

Code:

<?php
if ($include_lock != "unlocked") {
//Shut them down.
header("Location: 404.shtml");
OR
die("404 - File Not Found");
//You basically want it so that it would look like the typical 404 message from your site.
} else {
//your normal content goes here.
}
?>

You'll want to take note that if you have 'register_globals' on, the user could simply add '?include_lock=unlocked' to the URL and gain access. To get around that, you could disable register_globals or use a session variable. If you go the session route, kill the variable after you do the include.

02-16-2006, 04:28 AM	THREAD STARTER #1 (permalink)
luiz_itape New Member Join Date: Feb 2006 Posts: 3	PHP - Include Protection Include Protection Using includes in PHP to simplify life? Don't want your visitors to access them and receive errors or partial content? The solution is simple enough, though many people don't worry or don't consider it as a "threat". ????: NamePros.com http://www.namepros.com/webmaster-tutorials/168063-php-include-protection.html There are a few reasons you wouldn't want someone to go through directories trying to access your include files. Whatever yours might be, there's an easy way to prevent it. On your index file, you have it generate a variable. Code: <?php $include_lock = "unlocked"; ?> So we now have some code that generates a variable, '$include_lock' with the value 'unlocked'. Why are we doing this? Well, since you only want them to access the page through the index, we'll make a lock and key so that only going through the index file gives them the key. With the code above, we need to now put something on the page that actually performs as the lock. It's simple enough, we'll just use a nice, clean if statement. Code: <?php if ($include_lock != "unlocked") { //Shut them down. header("Location: 404.shtml"); OR die("404 - File Not Found"); //You basically want it so that it would look like the typical 404 message from your site. } else { //your normal content goes here. } ?> You'll want to take note that if you have 'register_globals' on, the user could simply add '?include_lock=unlocked' to the URL and gain access. To get around that, you could disable register_globals or use a session variable. If you go the session route, kill the variable after you do the include.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Great Scripts for Sale With Resale Rights!	Zeeble	Scripts For Sale	20	01-04-2006 01:39 AM
Googlism - What does google think of you?	deadserious	The Break Room	55	12-15-2005 09:09 AM
PHP Include Shop	GHOwner	For Sale / Advertising Board	0	10-18-2004 05:13 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)