Protecting my includes

WebRuss

Hi All

I have a folder called includes, which contains, you guessed it, all my include files. One of these files, contains the db functions and the login username and password for the database.

How can I prevent prying eyes from getting this info?

Regards
Russ

sarahk

the theory is that you put it in a folder off the main branch which is never directly referenced and in your setup refer to this as the include path and you will be able to get to these anytime. Talk to your host about this.

mikesgt2

For a start a hacker would not actually see the variables if they accessed the file because it would be parsed by php. Make sure that include files have the [FONT=courier new].php[/FONT]extension rather than [FONT=courier new].inc[/FONT].

Also you can use a constant, at the top of each include file you do this:

<?php
	if(!defined('VALID')) {
		die('Unlucky you scum of the earth hacker... lol');
	}

...
?>

Then in the file in which the files will be included you put this code:

<?php
define('VALID', true);
include('include.php');

...
?>

This method ensures that the include files can only be included from the places you want them to be. You may notice this method from the phpBB source code.

soupa

You can also include the following in your apache config file
so that .inc file cannot be served.
Just another solution.

<Files ~ "^.inc$">
Order allow,deny
Deny from all
</Files>

btw this is similar to the .ht entry in apache.

austingecko

I'm really not saying anything more than Soupa, but just wanted to add a tiny bit more info. In .htaccess you could add:
<Files ~ ".inc">
Order allow,deny
Deny from all
</Files>