downloads | documentation | faq | getting help | mailing lists | reporting bugs | sites | links | my 
search for in the  
view the version of this page
Last updated: Mon, 12 Sep 2005

add a note add a note User Contributed Notes
webmaster �tt christophdum ddott com
16-Dec-2005 08:30
that's cool, but i use this code right here:

<?if(!defined('IN_SCRIPT')){header('HTTP/1.0 404 not found');exit;}?>

adding a 404 header will not give the user any clue that the include-file even exists !!!

i also protect the whole include-directory with a .htaccess file that says: "Deny from all"

so i guess that's pretty secure
Thomas "Balu" Walter
17-Oct-2005 04:24
Since many users can not modify apache configurations or use htaccess files, the best way to avoid unwanted access to include files would be a line at the beginning of the include-file:

<?php if (!defined('APPLICATION')) exit; ?>

And in all files that are allowed to be called externally:

<?php define('APPLICATION', true); ?>

administrator at galbadian dot com
24-Apr-2005 03:47
yeah alot of people dont think about the possibility of...

Lets say a user posts $var=" " . $dbpass . " "

and your page has


which shows the var $dbpass (in this case the MySQL db pass)
nick dot hristov at gmail dot com
02-Sep-2004 11:21
A correction to previous post by Dave Mink.

<Files ~ "\.inc$">
   Order allow,deny
   Deny from all
   Satisfy All

Will not stop something like

Here is something more sophisticated for this task:

<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/">
   Options None
   Order Allow, Deny
   Deny from All
   AllowOverride None
   Satisfy All

Also, consider placing in your httpd.conf

<Location ~ "/[^ ](?=\.phps(\?[^ ]*)?)/">
   Options None
   Order Allow, Deny
   Deny from All
   AllowOverride None
   Satisfy All
29-Aug-2004 12:21
Another good source of information on writing secure PHP code is
ocrow at simplexity dot net
02-Jul-2003 08:16
If your PHP pages include() or require() files that live within the web server document root, for example library files in the same directory as the PHP pages, you must account for the possibility that attackers may call those library files directly. 

Any program level code in the library files (ie code not part of function definitions) will be directly executable by the caller outside of the scope of the intended calling sequence.  An attacker may be able to leverage this ability to cause unintended effects.

The most robust way to guard against this possibility is to prevent your webserver from calling the library scripts directly, either by moving them out of the document root, or by putting them in a folder configured to refuse web server access. With Apache for example, create a .htaccess file in the library script folder with these directives:

Order Allow,Deny
Deny from any
annonymous at domain dot com
27-Jun-2003 09:08
best bet is to build php as cgi, run under suexec, with chroot jailed users. Not the best, but fairly unobtrusive, provides several levels of checkpoints, and has only the detriment of being, well, kinda slow. 8)
ManifoldNick at columbus dot rr dot com
30-Apr-2003 01:30
Remember that security risks often don't involve months of prep work or backdoors or whatever else you saw on Swordfish ;) In fact one of the bigges newbie mistakes is not removing "<" from user input (especially when using message boards) so in theory a user could secerely mess up a page or even have your server run php scripts which would allow them to wreak havoc on your site.
26-Feb-2003 08:00
For real security you should consider providing chrooted jail's for your users.

 Last updated: Mon, 12 Sep 2005
show source | credits | sitemap | contact | advertising | mirror sites 
Copyright © 2001-2006 The PHP Group
All rights reserved.
This unofficial mirror is operated at:
Last updated: Fri Jan 13 02:11:38 2006 CST