0

I am developing a website for myself and I just wonder how can I prevent direct access to include files like header.php and footer.php. Those files should only be incorporated in pages like index.php or other pages wherein they will be called using <?php include(''); ?>. Should I do it through PHP? How about editing the .htaccess file or are there any other methods?

Improve this question
11
  • 3
    the standard way is to put them outside the web root Commented Apr 17, 2015 at 2:44
  • Or check for a session variable or a cookie. If it's not there 301 redirect to another page or die(). Could also fake a 401 status. Commented Apr 17, 2015 at 2:48
  • @Dagon then how will I secure it if for example I put it in a resources folder? Commented Apr 17, 2015 at 2:50
  • @Twisty, can you elaborate it as an answer? Commented Apr 17, 2015 at 2:51
  • users have no access to files outside the web root Commented Apr 17, 2015 at 2:51

3 Answers 3

Reset to default
4
  • place the files(s) in a directory out side the web root.
  • the web server will never serve theses files to users.
  • php et.al. can still access the files via include\require etc
  • This has been the gold standard approach for several decades.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I meant to click your checkmark, for a while I thought thought I got blurry eyes.
0

I offered 3 suggestions and since you didn't provide much to go one, I will give you one elaboration.

As @Dragon eludes to, when you use include() your reading via the file system and not via a HTTP Request. You can check for an HTTP verb ($_REQUEST, $_GET, $_POST) and refuse to show content or fake a 401.

<?php if(isset($_REQUEST) || isset($_GET) || isset($_POST)){ header("HTTP/1.0 404 Not Found"); die(); } // Do the needed ?>

I will let you figure out the gotcha on your own here.

Improve this answer

1 Comment

you picked this as the answer? really -sigh. i cna send any header request to a file on your server i want to - this is NOT a secure approach
0

It would be perfect if your server is linux, because then what you can do is follow Dagon's suggestion of placing the files to include outside of the web root.

The web root of course is the base folder that contains files the outside world is meant to access. On many systems, this is the public_html folder.

On a system with WHM/cpanel installed, you might have a special user account where the root of that account (where anything can be stored) is located at /home/user on the entire system. This can be viewed by using the file manager utility included with cpanel when logged in. In that /home/user folder, you may find configuration files and folders starting with a period as well as public_ftp and public_html folders.

In the /home/user folder, you can place the PHP files you don't want the world to directly access. Then In public_html, (accessible within /home/user) you can place the index.php file that has the include statement to the "protected" files. That way in index.php you can use this statement:

include "../file-to-include.php";

Just make sure that the administrator has set the owner of the /home/user folder to the same username you login with or you may get access denied messages when trying to access the file. On a decent cpanel setup, the last step would have already been done for you.

Improve this answer

1 Comment

The solution @Dragon posted works on all web servers. It would work in Windows much the same way.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.