Security issue with includes

Rulkster

Hi. As with any good programming practice i use includes to handle such things as database variables and the like.

I have a file called conf.inc which contains variables like:

$location = "localhost";
$databasename = "mydb";
$databaseuser = "username";
$databasepasswd = "xxxxxxxxx";

then of course i call it within my script whenever i need to connect to database.

PROBLEM: - if someone knows the name of my include script and types it into their browser address bar like

http://www.mydirectory.com/conf.inc

The include completely displays all the information to the screen. As you can see, this is bad, bad, bad, bad. How do i hide it so this does not happen.

veron

Name your include files .php instead of .inc. The contents of the include files will then be executed by the server and not displayed as text.

stolzyboy

as veron said, generally peeps choose something like

config.inc.php

superwormy

Another good idea is to store that file OUTSIDE of the www directory, that way they can never even browse to the file.

( ie /home/username/ or sommewhere else not with the rest of your browsable scripts )

rpanning

What I do is have my config file called config.inc.php then in that file I make sure it was included.

<?php
// some page
$varified = true;
require_once('config.inc.php');
// some code
?>

<?php
// config.inc.php
if (!$varified) {
    exit('some error message');  //kills the script right away
} else {
    // page has been included, continue as normal
}
?>

ymir

or you could go into your httpd.conf (if your'e using apache) file and and goto you Files directive like this:

<Files ^*.inc>
Deny from all
Satisfy All
</Files>

Restart apache and viola!

Mordecai

The above method works well if you want to block them out. However, if you want to parse the .incs as PHP (you may not want to if it opens connections and doesn't close them):
AddType application/x-httpd-php .inc