Include(filename.php) and security

I have a file abc.php which includes another file (which primarily has
text) called text.php.

Is there a way I can secure the text.php file without affecting the
include_once('text.php') call in abc.php?

By secure, I mean the outside user should not be able to find the file
at all.

Of course one method is to obfuscate the name of text.php, but any
simpler solutions are preferred.

Best regards,
Animesh

Re: Include(filename.php) and security

"Animesh K" wrote in message
news:fgdnc8$25bu$1@agate.berkeley.edu...
>I have a file abc.php which includes another file (which primarily has
>text) called text.php.
>
> Is there a way I can secure the text.php file without affecting the
> include_once('text.php') call in abc.php?
>
> By secure, I mean the outside user should not be able to find the file at
> all.
>
> Of course one method is to obfuscate the name of text.php, but any simpler
> solutions are preferred.
>
> Best regards,
> Animesh

put it outside the of the web root directory. make sure your web server has
permission to acces the file.

Re: Include(filename.php) and security

Steve wrote:
> "Animesh K" wrote in message
> news:fgdnc8$25bu$1@agate.berkeley.edu...
>> I have a file abc.php which includes another file (which primarily has
>> text) called text.php.
>>
>> Is there a way I can secure the text.php file without affecting the
>> include_once('text.php') call in abc.php?
>>
>> By secure, I mean the outside user should not be able to find the file at
>> all.
>>
>> Of course one method is to obfuscate the name of text.php, but any simpler
>> solutions are preferred.
>>
>> Best regards,
>> Animesh
>
> put it outside the of the web root directory. make sure your web server has
> permission to acces the file.
>
>

Can you please explain it a bit more. Outside of the directory, but where?

Do you mean make a directory for those text files and keep it hidden
since people will not know where that directory is, so they cannot guess it?

Re: Include(filename.php) and security

Animesh K wrote:
> I have a file abc.php which includes another file (which primarily has
> text) called text.php.
>
> Is there a way I can secure the text.php file without affecting the
> include_once('text.php') call in abc.php?
>

You could secure it with .htaccess, but that's the hard way.

> By secure, I mean the outside user should not be able to find the file
> at all.
>
> Of course one method is to obfuscate the name of text.php, but any
> simpler solutions are preferred.
>
> Best regards,
> Animesh
>

Put the file in a directory outside of the web server's root directory.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Include(filename.php) and security

Jerry Stuckle wrote:
> Animesh K wrote:
>> I have a file abc.php which includes another file (which primarily has
>> text) called text.php.
>>
>> Is there a way I can secure the text.php file without affecting the
>> include_once('text.php') call in abc.php?
>>
>
> You could secure it with .htaccess, but that's the hard way.

All methods are welcome.

>
>> By secure, I mean the outside user should not be able to find the file
>> at all.
>>
>
> Put the file in a directory outside of the web server's root directory.


I don't have a dedicated server. I am using a shared server and most
likely this cannot be done.

Re: Include(filename.php) and security

Animesh K wrote:
> Jerry Stuckle wrote:
>> Animesh K wrote:
>>> I have a file abc.php which includes another file (which primarily
>>> has text) called text.php.
>>>
>>> Is there a way I can secure the text.php file without affecting the
>>> include_once('text.php') call in abc.php?
>>>
>>
>> You could secure it with .htaccess, but that's the hard way.
>
> All methods are welcome.
>
>>
>>> By secure, I mean the outside user should not be able to find the
>>> file at all.
>>>
>>
>> Put the file in a directory outside of the web server's root directory.
>
>
> I don't have a dedicated server. I am using a shared server and most
> likely this cannot be done.
>

Many shared servers give you access one level above your web root
directory. If you're doesn't, find one which does. If you need the
file protected, anything else isn't worth the hassle.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Include(filename.php) and security

Jerry Stuckle wrote:
> Animesh K wrote:
>> I have a file abc.php which includes another file (which primarily has
>> text) called text.php.
>>
>> Is there a way I can secure the text.php file without affecting the
>> include_once('text.php') call in abc.php?
>>
>
> You could secure it with .htaccess, but that's the hard way.
>


How about turning off warnings? That's what you mean by .htaccess? (like
warning off).

Re: Include(filename.php) and security

Jerry Stuckle wrote:

>
> Many shared servers give you access one level above your web root
> directory. If you're doesn't, find one which does. If you need the
> file protected, anything else isn't worth the hassle.
>

I use godaddy's service, and don't really plan to change (price!). I
will check if I can get to a higher directory (but the ftp program gets
me directly to the web-root and I haven't fiddled with the .. command).

I can always use some obfuscated directory for the file (like
/asaihsaihsaih/filename ..)

Thanks,
Animesh

Re: Include(filename.php) and security

Animesh K wrote:
> Jerry Stuckle wrote:
>
>>
>> Many shared servers give you access one level above your web root
>> directory. If you're doesn't, find one which does. If you need the
>> file protected, anything else isn't worth the hassle.
>>
>
> I use godaddy's service, and don't really plan to change (price!). I
> will check if I can get to a higher directory (but the ftp program gets
> me directly to the web-root and I haven't fiddled with the .. command).
>
> I can always use some obfuscated directory for the file (like
> /asaihsaihsaih/filename ..)
>
> Thanks,
> Animesh
>

Good hosting can be found for less than $5/mo. at dozens of places.

GoDaddy is a registrar, with hosting as a sideline. Also,you should
never have your registrar as your hosting company, no matter how cheap
it is.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Include(filename.php) and security

Animesh K wrote:
> Jerry Stuckle wrote:
>> Animesh K wrote:
>>> I have a file abc.php which includes another file (which primarily
>>> has text) called text.php.
>>>
>>> Is there a way I can secure the text.php file without affecting the
>>> include_once('text.php') call in abc.php?
>>>
>>
>> You could secure it with .htaccess, but that's the hard way.
>>
>
>
> How about turning off warnings? That's what you mean by .htaccess? (like
> warning off).
>

Nope, I mean using .htaccess. Try the Apache website for more info on
it, then alt.apache.configuration (if you haven't RTFM before asking in
that group they will call you on it).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Include(filename.php) and security

Animesh K wrote:
> Steve wrote:
>> "Animesh K" wrote in message
>> news:fgdnc8$25bu$1@agate.berkeley.edu...
>>> I have a file abc.php which includes another file (which primarily
>>> has text) called text.php.
>>>
>>> Is there a way I can secure the text.php file without affecting the
>>> include_once('text.php') call in abc.php?
>>>
>>> By secure, I mean the outside user should not be able to find the
>>> file at all.
>>>
>>> Of course one method is to obfuscate the name of text.php, but any
>>> simpler solutions are preferred.
>>>
>>> Best regards,
>>> Animesh
>>
>> put it outside the of the web root directory. make sure your web
>> server has permission to acces the file.
>>
>
> Can you please explain it a bit more. Outside of the directory, but where?
>
> Do you mean make a directory for those text files and keep it hidden
> since people will not know where that directory is, so they cannot guess
> it?

In your web server there will be a document root location
DocumentRoot /path/to/a/directory

You then have your first file in
/path/to/a/directory/abc.php

and you would have the "hidden" file in
/path/to/a/text.php

Another solution is to use a directory with .htaccess and set http access to
deny for all and place all files you don't want others to be able to find in
this. This may fail during web server updates, as the htaccess may be disabled
and then all have access to the file. This has also the disadvantage that not
all web-hosts allows this.

A third way to do, which won't prevent the access to the file, but what it
contains is to

if(!DEFINEDTRUE) { exit; }
//your code below

?>

and in the files that are allowed to be used you have
define(DEFINEDTRUE,true);
//your code below

?>

This way accessing text.php would give a completely blank page, while
accessing abc.php would show the content of text.php.

--

//Aho

Re: Include(filename.php) and security

"Animesh K" wrote in message
news:fge3nn$29jt$2@agate.berkeley.edu...
> Jerry Stuckle wrote:
>
>>
>> Many shared servers give you access one level above your web root
>> directory. If you're doesn't, find one which does. If you need the file
>> protected, anything else isn't worth the hassle.
>>
>
> I use godaddy's service, and don't really plan to change (price!). I will
> check if I can get to a higher directory (but the ftp program gets me
> directly to the web-root and I haven't fiddled with the .. command).
>
> I can always use some obfuscated directory for the file (like
> /asaihsaihsaih/filename ..)

do you work for microsoft? they too, have this idea that "obscurity is
security"...let me most assuredly inform you, it is not.

Re: Include(filename.php) and security

Post removed (X-No-Archive: yes)

Re: Include(filename.php) and security

..oO(Tom)

>I think some of the concern is that PHP files get configured to be parsed by the
>server before being sent to the user. If you have .inc files, those probably get
>delivered as plain text with all your code viewable.

I would never rely on that for security. All it takes is a little mis-
configuration or maybe a broken server update and even .php files may be
spit out as plain text.

Some weeks ago there was a poster who wrote about a problem with his
server, which occasionally delivered his scripts as plain text, while
most of the time they were parsed correctly ... strange, but it may
happen.

Storing such files outside the document root is the way to go if the
host allows it (every good one does). It's the most secure way.

Micha

Re: Include(filename.php) and security

Steve wrote:
> "Animesh K" wrote in message
> news:fge3nn$29jt$2@agate.berkeley.edu...
>> Jerry Stuckle wrote:
>>
>>> Many shared servers give you access one level above your web root
>>> directory. If you're doesn't, find one which does. If you need the file
>>> protected, anything else isn't worth the hassle.
>>>
>> I use godaddy's service, and don't really plan to change (price!). I will
>> check if I can get to a higher directory (but the ftp program gets me
>> directly to the web-root and I haven't fiddled with the .. command).
>>
>> I can always use some obfuscated directory for the file (like
>> /asaihsaihsaih/filename ..)
>
> do you work for microsoft? they too, have this idea that "obscurity is
> security"...let me most assuredly inform you, it is not.
>
>

No I don't work for mycrowsoft. And why would I ask for another
suggestion if I thought obfuscation was good enough?

Besides obfuscation will not suit my needs, since I want to keep the
included files in the same directory (for some reasons beyond
explanations at the moment).

Re: Include(filename.php) and security

J.O. Aho wrote:
> Animesh K wrote:
>> Steve wrote:
>>> "Animesh K" wrote in message
>>> news:fgdnc8$25bu$1@agate.berkeley.edu...
>>>> I have a file abc.php which includes another file (which primarily
>>>> has text) called text.php.
>>>>
>>>> Is there a way I can secure the text.php file without affecting the
>>>> include_once('text.php') call in abc.php?
>>>>
>>>> By secure, I mean the outside user should not be able to find the
>>>> file at all.
>>>>
>>>> Of course one method is to obfuscate the name of text.php, but any
>>>> simpler solutions are preferred.
>>>>
>>>> Best regards,
>>>> Animesh
>>> put it outside the of the web root directory. make sure your web
>>> server has permission to acces the file.
>>>
>> Can you please explain it a bit more. Outside of the directory, but where?
>>
>> Do you mean make a directory for those text files and keep it hidden
>> since people will not know where that directory is, so they cannot guess
>> it?
>
> In your web server there will be a document root location
> DocumentRoot /path/to/a/directory
>
> You then have your first file in
> /path/to/a/directory/abc.php
>
> and you would have the "hidden" file in
> /path/to/a/text.php
>
> Another solution is to use a directory with .htaccess and set http access to
> deny for all and place all files you don't want others to be able to find in
> this. This may fail during web server updates, as the htaccess may be disabled
> and then all have access to the file. This has also the disadvantage that not
> all web-hosts allows this.
>
> A third way to do, which won't prevent the access to the file, but what it
> contains is to
>
> > if(!DEFINEDTRUE) { exit; }
> //your code below
>
> ?>
>
> and in the files that are allowed to be used you have
> > define(DEFINEDTRUE,true);
> //your code below
>
> ?>
>
> This way accessing text.php would give a completely blank page, while
> accessing abc.php would show the content of text.php.
>

I love the last solution. Many thanks for the same.

Best regards,
Animesh

Re: Include(filename.php) and security

"Animesh K" wrote in message
news:fgg2oc$2tkn$3@agate.berkeley.edu...
> Steve wrote:
>> "Animesh K" wrote in message
>> news:fge3nn$29jt$2@agate.berkeley.edu...
>>> Jerry Stuckle wrote:
>>>
>>>> Many shared servers give you access one level above your web root
>>>> directory. If you're doesn't, find one which does. If you need the
>>>> file protected, anything else isn't worth the hassle.
>>>>
>>> I use godaddy's service, and don't really plan to change (price!). I
>>> will check if I can get to a higher directory (but the ftp program gets
>>> me directly to the web-root and I haven't fiddled with the .. command).
>>>
>>> I can always use some obfuscated directory for the file (like
>>> /asaihsaihsaih/filename ..)
>>
>> do you work for microsoft? they too, have this idea that "obscurity is
>> security"...let me most assuredly inform you, it is not.
>
> No I don't work for mycrowsoft. And why would I ask for another suggestion
> if I thought obfuscation was good enough?
>
> Besides obfuscation will not suit my needs, since I want to keep the
> included files in the same directory (for some reasons beyond explanations
> at the moment).

just giving you a hard time. :)

Re: Include(filename.php) and security

On Nov 1, 3:27 pm, Animesh K wrote:
>
> I have a file abc.php which includes another file (which
> primarily has text) called text.php.
>
> Is there a way I can secure the text.php file without
> affecting the include_once('text.php') call in abc.php?
>
> By secure, I mean the outside user should not be able to
> find the file at all.

Not really... Apache must be able to serve abc.php, but not
text.php. This means that they must reside in different directories.
There are two options you can look into:

1. Move text.php outside the Web root, or
2. Move text.php into a subdirectory and prohibit access to
that directory from the Web by using an .htaccess file.

Alternatively, you may leave the files where they are, but put
something like this in the beginning of text.php:

if (strpos ($_SERVER['PHP_SELF'], 'abc.php') === false) {
die();
}

In other words, do not execute text.php, unless it is being included
into abc.php...

Cheers,
NC

Re: Include(filename.php) and security

NC wrote:
> On Nov 1, 3:27 pm, Animesh K wrote:
>> I have a file abc.php which includes another file (which
>> primarily has text) called text.php.
>>
>> Is there a way I can secure the text.php file without
>> affecting the include_once('text.php') call in abc.php?
>>
>> By secure, I mean the outside user should not be able to
>> find the file at all.
>
> Not really... Apache must be able to serve abc.php, but not
> text.php. This means that they must reside in different directories.
> There are two options you can look into:
>
> 1. Move text.php outside the Web root, or
> 2. Move text.php into a subdirectory and prohibit access to
> that directory from the Web by using an .htaccess file.
>
> Alternatively, you may leave the files where they are, but put
> something like this in the beginning of text.php:
>
> if (strpos ($_SERVER['PHP_SELF'], 'abc.php') === false) {
> die();
> }
>
> In other words, do not execute text.php, unless it is being included
> into abc.php...
>
> Cheers,
> NC
>
>

Or you *can* use .htaccess to disallow access to a specific file. But
it gets complicated when you add more files.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Include(filename.php) and security

Jerry Stuckle wrote:
> NC wrote:
>> On Nov 1, 3:27 pm, Animesh K wrote:
>>> I have a file abc.php which includes another file (which
>>> primarily has text) called text.php.
>>>
>>> Is there a way I can secure the text.php file without
>>> affecting the include_once('text.php') call in abc.php?
>>>
>>> By secure, I mean the outside user should not be able to
>>> find the file at all.
>>
>> Not really... Apache must be able to serve abc.php, but not
>> text.php. This means that they must reside in different directories.
>> There are two options you can look into:
>>
>> 1. Move text.php outside the Web root, or
>> 2. Move text.php into a subdirectory and prohibit access to
>> that directory from the Web by using an .htaccess file.
>>
>> Alternatively, you may leave the files where they are, but put
>> something like this in the beginning of text.php:
>>
>> if (strpos ($_SERVER['PHP_SELF'], 'abc.php') === false) {
>> die();
>> }
>>
>> In other words, do not execute text.php, unless it is being included
>> into abc.php...
>>
>> Cheers,
>> NC
>>
>>
>
> Or you *can* use .htaccess to disallow access to a specific file. But
> it gets complicated when you add more files.
>

Many thanks to everyone for the various inputs. It was educational and
my query has been successfully answered.

Best,
Animesh