When creating large applications or web sites, it is often useful to abstract it to different classes or even to just compartmentalize your code. For example, create a single file containing all your database functions and simply include it with files that need to use it.
What is an Include File
Let’s say your entire site has a common header, you would put your header code in a file, say header.php and then include it from your other pages using:
<?php include(”header.php”); ?>
Likewise, you could use require instead of include, which will not load your page any further if the required file is not found. If you are including a file of PHP functions on the other hand, you would use the include_once or require_once command to make sure the same file doesn’t accidentally get included twice (which would cause PHP to barf up errors about duplicate function names).
Security Concerns
Security concerns arise when you do not wish users to be able to visit these include files directly. Here are several ways of securing them:
- Name your include directory something unique
Usually, all of these include files are stored in a single directory for organizational purposes. That’s actually a good thing but more often than not, the directory is called inc or include — not exactly hard to guess. - Give it only the necessary permissions and ownership
The include files only need to be able to be read by the server and no one else, by setting the appropriate permissions you’ll make it invisible to users’ web browser. - Put it outside of your web accessible directory
This is perhaps the safest method. By placing this somewhere outside your web accessible directory, your scripts can still access it but no one else will be able to. For example, if your web page is in the www directory, then simply place your include files in a directory alongside your www directory (not inside).
By combining the 3 above techniques, you can be guaranteed that no one will be able to access your include files directly!
Popularity: 4% [?]
Tags: includes, PHP, security
Entries (RSS)
Thank you. That is very helpful.
i never thought someone would ‘hijack’ your includes
What do you see as the risks or potential consequences of allowing people to access your includes directly?
thanks man , very interesting
I do a lot of php work, but I never thought to protect the include files. If a user tries to view one of them, shouldn’t it just run and not display to the user? I love the picture of the padlock flashdrive, any idea where I could find one of those?
I find that having a general file that has all the other includes even simpler.
For ex have all your files include the header.php however header.php includes your classes.php functions.php and your config.php. Also there’s not really much of a danger of a reading as long as your site is secure. always .htaccess all your 777 dirs.
Security concerns could arise in several situations.
1) If a later include (i.e. footer include) references values that were instantiated before, then it could potentially crash and spit out error messages that could reveal information about your structure.
2) Some usages of AJAX require referencing an external php file to process data. This file should not be able to be accessed directly since it could lead to exploits.
I’m sure there are other ways directly accesing include files could be harmful.
I believe it is the new Corsair Padlock USB drive. Cool in theory but apparently not very secure!
I agree! Modularization is always a good thing as long as you don’t go overboard! I tend to put all my include files within a single include file as well.