Quick Security Question

FatalError

I have a bunch of files in a directory called 'includes' on my server, and I don't want anyone accessing those files. What's the best method to do it?

Use an .htaccess file
Define a constant in the root files, then in the one I don't want accessed, put if(!defined('SOME_CONSTANT')) die('Hacking attempt')

I know the constant method would slightly slow down the site, but then again I don't really like using .htaccess... :/ Thanks in advance!

Oh, and Happy April Fools!

laserlight

Place the directory outside of your public html directory.

samudasu

There are several options. Read this old post that mentions a few of them.
http://phpbuilder.com/board/showthread.php?t=10317356

FatalError

laserlight wrote:
Place the directory outside of your public html directory.

No I'm not going to do that because the blog system I'm doing this for is going to be redistributed, so I want it all in the same directory.

Since I'm redistributing, I'm thinking of using the constants, because I don't want to rely on anything (some servers don't support .htaccess).

MarkR

The best method is to have all include files only define classes, constants, functions and variables, rather than actually executing any code.

Then you will have no security problem even if someone does decide to execute your include files in a standalone fashion.

The security problems from includes being executed standalone mostly used to come from register_globals.

Mark

FatalError

MarkR wrote:
The security problems from includes being executed standalone mostly used to come from register_globals.

Yeah, but since I'm going to redistribute this, I have no control over whether the user has register_globals on or off. But I guess I can do without any protection against accessing those files...

MarkR

You can control register_globals. Simply check if it's turned on, and if so, refuse to allow them to use the application at all.

This forces the site admin to turn register_globals off, unless they're going to leave a broken instance of the app sitting in their web space.

Mark

laserlight

This forces the site admin to turn register_globals off, unless they're going to leave a broken instance of the app sitting in their web space.

The downside to that is that if the person installing the script is clueless, then he/she will probably be put off by the error and just abandon the script for another one.

After all, if the person is also the server admin, then using the non-webspace idea would become more of an option anyway.

samudasu

Aren't you going to have install instructions with your package? It wouldn't be too much to have the user/admin unzip the package and then have them move the includes directory outside of public html. If you're includes don't have executable code then none of this matters.

Your going to have to compromise somewhere, either in the way you code or by trusting that a user can read an install file. You've already been given the two best options by MarkR and Laserlight.