[Security] Prevent users to view .inc Files

Hotkey

Hi all !

I've got a problem with the security of my script.
I'm using some .inc files to do some stuff.
Besides other stuff the include File does a connect to a Database.
Now the problem :
If somebody accesses the inclusion File directly he is able to view it as plain text.

Now my Question : is there a way (PHP sided) to avoid this direct access of my inc file ? For example something like :

if ($iAmAccessedDirectly=="TRUE") die ("Not allowed to do that");

For some reasons i can't choose other possibillities to avoid the acces.
The script should be usable for everyone who wants to use it on any server he wants to put it on ....
So i can't count on solutions like .htaccess or the proper configurated webserver.
(I've tried .htaccess on my server and it worked, i tried it on an other server and i didn't worked)

I need to use the includes, cause other whise my setup script has to alter every php file which uses database functionality during setup (which would be a bunch of work).

I hope that someone has an idea to solve this problem!

Thanks in advance !

Hotkey

bastien

use the .php extension and some kind of session variable to check against

if ($_SESSION['loggedIn']!="TRUE") {
    echo ("Not allowed to do that");
    die();
}else{
  //rest of the code for your page
}

also consider placing all the include type pages into functions. If everything was in function and the page was called, nothing is shown as all the function calls are on other pages

Hotkey

thanks !
i didn't know that you can include .php files too !

superwormy

To clarify further...

File extensions in anything UNIX / LINUX based, for the most part, DO NOT MATTER. Windows is STUPID and meant to be user-friendly, and thus uses file extensions to determine what to open how and how to use what and such.

BUT for most Unix / Linux programs, INCLUDING PHP / JAVA / PERL / ETC. the file extensions usually do not matter. You can include, fread, parse_ini_file, etc. anything with PHP. In fact, you're regular PHP files ( the ones that the user requests and views ) don't need to have the .php extensoin at all. They could be .htm. Or .php3. Or .jsp. Or .asp. Or ANYTHING AT ALL! You only need to tell Apache ( or whatever web server you're using ) that it should pass that file extension to a PHP module / executable before sending it to the user.

From a security standpoint, you really should never use .inc files, because of the problem you've found. MOST Apache installations treat .inc files as plain text, and MOST people don't have the permissoins or know-how to change Apache to make it treat them as PHP.

I've found a better solution is often to use filename.inc.php. That way I still know its an include file... but its a little bit safer.

On another note, if it has database connections nad passwords and stuff, try and store it outside the www root, so that the public can never request it anyway.

Hotkey

Thanks again for the info.
I know about the file extensions and i know how i have to configure my server to make him not displaying .inc files.
You have described the problem exactly : It's impossible to count on all users/providers that they configure their servers secure.
As i've described above : Even the use of an .htaccess file makes it 100% secure.
Don't know why, but one linux server running apache doesn't handle it correctly.
It denies the Listing of the directory but allows the direct access.

I've used the .inc extensions cause i thought this is a "good style" to code php pages.

Thanks again !