Place you included scripts in a separate directory, and forbid the web server to serve pages/files from this directory ("Order Allow,Deny" either in .htaccess or in the virtual host's configuration).

Wouldn't that give you a forbidden error when you try and access your content page that is stored in denied folder?

[edited by: Afterlithe at 10:32 pm (utc) on Mar. 30, 2007]

If you know ahead of time the name/names of the landing pages
You could do a switch where each case is a landing page
If in your $_GET the case fell then do a default exit();

Ok, sorry about my noobishness on the subject, but could you post the full code? I am really having a hard time figuring out how to just secure a php include.

Ok, got a script that will work. It uses GET, and doesn't use any variables like $page. Thanks for your help.

[edited by: Afterlithe at 11:04 pm (utc) on Mar. 30, 2007]

something like this

switch($page) {
case 'home': $url = 'index.php';
break;
case 'contact': $url = 'contact.php';
break;
case 'about': $url = 'about.php';
break;
default: $url = 'index.php';
}

require($url);

Thats almost the exact code I found. Thanks for all the great help guys.

Wouldn't that give you a forbidden error when you try and access your content page that is stored in denied folder?

No, because "include()" or "require()" include the file using the file system, not a web page using a web server (unless you specify a URL instead of a filename).

This means that you scripts can access the protected php code, but a visitor can't use your web server to access it (he will get a 403). There is no need to add protection code to your lib.