PHP Security - Block Access to Include Files Using .htaccess
When I build websites for clients and myself, I use numerous include files to make my website easy to maintain. These include files may:
- be composed of pure HTML; no server-side programming involved
- be PHP class files; used throughout the website
- composed of both HTML and PHP
- PHP code to produce a specific action; many times, AJAX scripts
Obviously, if a person were to get lucky and guess the path and file name of my include scripts, problems could result, especially if an AJAX script is not secured (but I wouldn't do that — nor would you, right?). For example, take the following poorly coded bit of PHP that would get run when an AJAX call was made:
//inside file: includes/ajax/delete_id.inc
$query = 'DELETE FROM my_table WHERE id = '.$_GET['id'];
mysql_query($query);
Imagine if the user changed the 'id' in the querystring to "' or 1" — all data would be lost! (There's really no excuse for having an unprotected script, but this is a simple example)
Even if my scripts are secure (meaning I use proper validation to make sure they've been called correctly), a user/hacker has no business calling an include file. Using .htaccess, we can prevent any attempt by a user to reach an include file:
<FILES ~ "\.inc$">
Order allow,deny
Deny from all
</FILES>
The above code tells the server to disallow any requests by the user for any file ending in ".inc". You can easily modify the above .htaccess for your own naming convention and folder structure.
Do you employ this type of system? Do you have any ideas for improvement?
- Login or register to post comments
- 5571 reads
- Printer-friendly version
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)
Comments
Cal Evans replied on Wed, 2008/01/30 - 9:01am
Hi David,
Great tip!
Another way to prevent prying eyes from getting to your classes, password files, etc is to locate all non-essential files outside of your web root. Apache can't serve what Apache can't see but by adjusting your include_path you can still access all of your files from within PHP.
=C=
http://devzone.zend.com
http://blog.calevans.com
David Walsh replied on Wed, 2008/01/30 - 9:20am
Good call Cal. I suppose this would be used more when placing a website on shared hosting where you aren't allowed to post outside of root.
Thank you for your tip as well!
David Walsh
Web Developer & Zone Leader
http://davidwalsh.name/
rocky1138 replied on Wed, 2008/01/30 - 9:43am
David Walsh replied on Wed, 2008/01/30 - 10:42am
David Walsh
Web Developer & Zone Leader
http://davidwalsh.name/
Jon Gilkison replied on Wed, 2008/01/30 - 9:00pm
Two things:
a. Put your includes outside of your public directory.
b. .htaccess files are a major performance bottleneck and should be avoided at all costs.
David Walsh replied on Thu, 2008/01/31 - 10:01am
David Walsh
Web Developer & Zone Leader
http://davidwalsh.name/
Philippe Lhoste replied on Thu, 2008/02/07 - 8:09am
in response to: rocky1138
Well, the PHP file will be executed anyway, which can be dangerous, particularly with the given example!
I saw a trick, which is to set a define in the main module, and to test it is defined in the include file: if not set, it means the include file was called directly, so the script should die immediately.
fourcs replied on Sun, 2008/09/14 - 9:55am
Shown replied on Mon, 2009/10/05 - 2:30am
The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.
John
pci security
http://devzone.zend.com