What security precautions do I need to take, (if any), to stop other websites linking to, and using my classes and include files on their websites?

My PHP is very rusty, but I am sure we once had a problem with this along-time-ago, and we had to place some code outside the webroot, if I recall?

    Yes, place those files outside of the document root. If you cannot do that, provide them with a .php extension. You usually would do both.

      Would just having a .php stop them using a class.

      e.g Say I had a class called http://www.test.com/testclass.php...

      Couldn't they just include that file in there website if they ran php?

      include 'http://www.test.com/testclass.php';

        They could, but all they would get is the output of that script, which presumably is not PHP code.

          The only real benefit I've ever seen of placing files outside your web root is just to prevent the rare scenario that your host somehow trashes the web server config such that the PHP interpreter is no longer called for .php files. Placing the files outside the web root would prevent some lucky person from viewing the source code in the (presumably/hopefully short) time window in which the webserver is misconfigured.

          Otherwise, as laserlight explained, you can't simply include/require() PHP files across an HTTP connection. All you get is the output of the script (again, unless the webserver forgets about the PHP interpreter).

            Your are all missing the point. I don't want, (in some cases), other sites to access the output of some of my scripts.

            (I wouldn't do this), but lets say I have a class script that mailed all my customers. Some one from another site could call that script and 'could' use it to spam my customers, etc.

            Or something more simple, you have an include file that displays a legal notice. They could just include that on there site, and waste your bandwidth.

              bradgrafelman;10946206 wrote:

              ...rare scenario that your host somehow trashes the web server config such that the PHP interpreter is no longer called for .php files. Placing the files outside the web root would prevent some lucky person from viewing the source code in the (presumably/hopefully short) time window in which the webserver is misconfigured.

              i agree wit brad fully...in the very rare occasion that your web server is thrashed for some strange reason could anyone be able to view your code and 'include', as you put it, your functions...

                The include function in php allows you to include files from other domains... So if you know the file name, and how to use it, whats stopping people from doing so?

                This may not seem like a problem for some, but it is a risk. When people start writing and sharing their classes etc, like in C++ or C#, some of them become standard and used by many people... so people will know what they are, and how to use them across domains.

                This once was a problem for us in the past.

                Question: I am presuming that the script will run, but only the parsed output will be sent to the calling domain, but the code, nonetheless with run fully?

                  Myth(UK) wrote:

                  Your are all missing the point. I don't want, (in some cases), other sites to access the output of some of my scripts.

                  (I wouldn't do this), but lets say I have a class script that mailed all my customers. Some one from another site could call that script and 'could' use it to spam my customers, etc.

                  Consider this script:

                  <?php
                  
                  function mailAll($message)
                  {
                      // Code to mail $message to all your customers.
                      // ...
                  }

                  You could leave this script within your document root, but I still cannot call mailAll() from my own script because when I include your script, I get a blank page. In other words, one way to prevent others from accessing the output of these kind of helper scripts is to make it such that these scripts do not output anything or have any side effect in general. They just define classes, functions, variables, etc that are used from the scripts that actually output to the client.

                  Myth(UK) wrote:

                  The include function in php allows you to include files from other domains... So if you know the file name, and how to use it, whats stopping people from doing so?

                  Place those files outside of the document root. What more do you want? If you cannot do that, yet you insist on having helper scripts with side effects, then too bad. Live with your lack of security.

                    laserlight;10946299 wrote:

                    Place those files outside of the document root. What more do you want? If you cannot do that, yet you insist on having helper scripts with side effects, then too bad. Live with your lack of security.

                    Outside of doc_root is to prefer, if possible.
                    Especially for all sensitive information, like configs, personal/private stuff on you or your users.

                    When we run a personal server from our own computer, or have our own server elsewhere,
                    it is easy to put whatever outside doc_root and to config our server + php.ini reasonably strict & secure.

                    However, majority of website owners must take what the hosting company have to offer.
                    Unfortunately this almost NEVER include directories outside web root.
                    I do not know why.

                    Because it wouldnt be hard, I think, to offer clients such directories
                    that can not be access directly via the web.

                    What options are left and what people use to protect stuff:

                    1. store everything (as much as possible) of sensitive in one database, like MySQL.
                    This means that this database's data files will be located outside of web root.
                    In another part of the host's harddrive.

                    2. Very often you can use Apache + .htaccess file(s)
                    To completely make any other access, than your own php-scripts, impossible
                    we usually put an .htaccess file in the directory (e.g. /includes/)
                    And put this one line inside the .htaccess

                    Deny from All

                    There are a bunch of small things we can do, to make our webfiles & stuff secure from others.
                    If we use several different things, tricks, methods together, we can come close to our goal.
                    A website where we are in control of what we share and what we dont.

                      halojoy wrote:

                      2. Very often you can use Apache + .htaccess file(s)
                      To completely make any other access, than your own php-scripts, impossible
                      we usually put an .htaccess file in the directory (e.g. /includes/)
                      And put this one line inside the .htaccess

                      Yes, this option makes that directory be logically outside of the document root with respect to the web server despite being within the document root directory with respect to the file system.

                        halojoy;10946302 wrote:

                        2. Very often you can use Apache + .htaccess file(s)
                        To completely make any other access, than your own php-scripts, impossible
                        we usually put an .htaccess file in the directory (e.g. /includes/)
                        And put this one line inside the .htaccess

                        Deny from All

                        This current project is based on a IIS 7 server, hench no .htaccess file. IIS does have a web.config (similar to .htaccess), but I am not sure if this works with php (only ASP.net?). If it does work with php, I have no idea how to set this up!

                        I was thinking of maybe restricting the IIS_IUSR account in someway on the include folders? Again I am not sure about this, since php needs the IUSR account for fast cgi?

                          Myth(UK) wrote:

                          This current project is based on a IIS 7 server, hench no .htaccess file. IIS does have a web.config (similar to .htaccess), but I am not sure if this works with php (only ASP.net?). If it does work with php, I have no idea how to set this up!

                          I have no knowledge of IIS configuration, but this has nothing to do with PHP. For example, you would use the same kind of configuration to keep visitors from being able to access your "normal" HTML documents.

                          By the way:

                          Myth(UK) wrote:

                          Or something more simple, you have an include file that displays a legal notice. They could just include that on there site, and waste your bandwidth.

                          No one in their right mind would do this when it would save their own bandwidth to just have their own copy of that legal notice. By including your file, they are actually opening themselves up to possible malicious code injection problems, e.g., if they are careless, you could change your own scripts to refer to a different file, and then replace the contents of that include file with a Javascript that redirects the offending website's visitors to your website.

                            laserlight;10946313 wrote:

                            I have no knowledge of IIS configuration, but this has nothing to do with PHP. For example, you would use the same kind of configuration to keep visitors from being able to access your "normal" HTML documents.

                            Yes and No,

                            The way ASP.net uses the web.config file to provide authentication, is unique to ASP.net. The only way I know to provide access to a php script running in a folder under a web.config restriction, is to use an ASP.net web form. I can tell the web.config file to run, say logon.php, but you would still need to pass this information somehow to the server, which is normally done via ASP.net. I don't want to use ASP.net. I just want to deny users, outside of the domain access to certain php scripts... (hopefully, without going out of the webroot).

                            In our case, this is for added security only.

                            I realise you cannot access the functions or classes within scripts, (but the scripts still run and the output is parsed).

                            This is not a php issue, but more a server one, but I would still like to know how to do this.

                              We have decided to wrap everything inside function(s), that isn't a class in our helper scripts. And only put the real private stuff, (database's, session data, etc), outside the document root.

                              :rolleyes: But, isn't there a setting in the php.ini file that stops remote includes?

                                Myth(UK) wrote:

                                But, isn't there a setting in the php.ini file that stops remote includes?

                                No, no more than you have a setting on your browser to stop me from viewing pages on phpbuilder.com

                                  I'm rather confused, especially at this:

                                  Myth(UK) wrote:

                                  Your are all missing the point. I don't want, (in some cases), other sites to access the output of some of my scripts.

                                  You began this thread by talking about include files and classes, implying that you didn't want others to have access to the source of your PHP scripts, not the output.

                                  If it's the output you're talking about, then it sounds like you're simply trying to prevent hotlinking.

                                    Sorry if I wasn't clear.
                                    It was to prevent hotlinking, but I was originally confused with including classes in php also.

                                    Please note: My php is very rusty... I write C++ & C# apps, but have now been lumbered with writing php scripts, since about a month ago. :queasy:

                                      I came up with this little idea of selective hotlinking.. This could be usefull to allow a client (who has no DB access on their server) to remotely include a php script that outputs the contents of a DB table running on your server.

                                      helper_chk.php
                                      <?php
                                      // Script Authorisation Function
                                      // Note: Prevents remote hotlinking of include files from unauthorised websites.
                                      function scriptAuthorisation() {	
                                      	return 'something_unique';
                                      }
                                      ?>
                                      
                                      show_db.php
                                      <?php
                                      // Check Script Authorisation
                                      include_once 'helper_chk.php';
                                      if ((!isset($scriptAuthCode)) || ($scriptAuthCode != scriptAuthorisation())) exit();
                                      
                                      // Rest of code to parse the DB table data
                                      
                                      ?>
                                      
                                      index.php (local file)
                                      <?php
                                      include_once 'helper_chk.php';
                                      $scriptAuthCode = scriptAuthorisation();
                                      include 'show_db.php'; 
                                      
                                      // Rest of code
                                      
                                      ?>
                                      
                                      index.php (Clients file)
                                      <?php
                                      include_once 'www.example.com/show_db.php?scriptAuthCode=something_unique';
                                      
                                      // Rest of code
                                      
                                      ?>

                                      There are 3 reasons why I used a function in helper_chk.php, but I don't have time to explain now.

                                      Hope this helps someone.

                                        P.S I am not sure, but I think the client would need to set allow_url_include=on in their php.ini file?