Re: Web based apps and include files.

[Mads Bach <bach () INDER NET>]

Mads Bach wrote:
> - Make sure your webserver won't serve up the include file as text (if
> you're using Apache, you can add a handler or an action for .inc files, for instance).

The reason I suggested using a handler, was to have additional control over
what happens when somebody tries to access one of your protected files.

A couple of people have written with additional suggestions:

- Placing the include files in a protected directory (using .htaccess), when
you don't have the option of placing them outside the webroot (Dustin Rue)

- Using a Apache filter, like this (Julien Savoie):
<Files ~ "\.phpincludes">
    Order allow,deny
    Deny from all
</Files>

- Using the FilesMatch diretive, if you need full regular expression support
in the filenames (James Lyon).

Julien also raised the point, that this won't protect you from users who
have access to the directories your files are in, if they are
world-readable. You can mitigate this somewhat, if you can change the
permissions, so that only the uid/gid of the webserver can read these files,
but this won't help if a user can get the webserver to run his own scripts.
This means, that if your site is being hosted on a server shared with other
(untrusted) people, you'll probably have a hard time securing it against
these people.

/Mads
--
"I can hardly imagining a week-long black mass including welding equipment
and diamond-cutters." "No, but if they tried, they'd probably get signed to
release a CD of Industrial music. Or prosecuted for violating health & safety
regulations."  - Andreas Buzh Skau and Tanuki in Scary Devil Monastary