I believe that if you protect the includes directory with .htaccess basic authentication, PHP is still able to include the files as usual, but any direct requests (i.e. user types URL into web browser) get asked for a password.

Well, that's what I tried with a simple password protection but it failed and mess with page calling include files.

I'm sure there's a much better way, but you could check in the files themselves what url they're being run from - $_SERVER['REQUEST_URI'] - and halt execution unless they're from an allowed path.

That could be a solution Ytswy, but if I need to check all URL from where the include are called, I'll turn crazy!

I guess include files are just like images when it comes to protection. You can't nothing (using htaccess) without interfering with others webpages.

Thanks anyway

erm why don't you just put the include files above the root of the website, then no-one can call them except you.

//erm why don't you just put the include files above the root of the website, then no-one can call them except you.

I believe this is the best way, not only for images, but for any file you might want to access solely.

Habtom

Best solution! I use it for my DB conn

Well, just because:
1/ my host doesn't allow me to modify .htaccess (so I can't change the include path)
2/ and therefore, my include directory must be in the root.

I use the following
<<<
require_once($_SERVER['DOCUMENT_ROOT']."/conn_whatever.php");

>>>

include this in all files that you need to include another file.
For example you need including aa.php to bb.php so you will insert in bb.php my above DOC_RooT path and conn_whatever (Located at root level) offers the path to your hidden file below root

Done!

1/ my host doesn't allow me to modify .htaccess (so I can't change the include path)

New solution to new problem - get a new host!

Maybe you could create a file that precedes the include file and limits the use of ALL includes if they ARE NOT from your IP.

Create a gateway page say for example

local_ip_only.php

Create a switch on this page only excepts URI requests
and directs them if they are local to the includes otherwise brings up an page that logs the offender then blocks the IP

affender_log.php

use required() at the top of each one of your include files you want protected that requires the URI script located in local_ip_only.php

I think if you play with this model it will work for you.

Shane

There are quite a few shared hosting providers out there nowadays that are giving a public root ONLY to the user, no directories outside of the public domain. Not ideal, not fun. If your host does allow per-directory override files (.htaccess) then you have a few options, one of which you can read here when another member found himself at my wit's end with .htaccess protecting directory [webmasterworld.com].