Will this protect my include files?

Forum Moderators: coopster

Message Too Old, No Replies

Will this protect my include files?

My attempt to replace defined().

darthmalis

3:10 am on Jul 17, 2008 (gmt 0)

I am trying to find a good solid way to prevent people from accessing my include files like /includes/database_login_info.php. I know that one popular way is to define a constant in all your accessible pages and check to see if it is defined in protected files. However, that method is not all that helpful when building portable classes and libraries. I am looking for a plug and play solution. So far I have come up with this:


if (ereg('[/\\]' . trim($_SERVER[PHP_SELF], '/') . "$", __FILE__)) die('This file can not be accessed directly!');

I have tested it and it seems to work. Is there some reason that this would not work? It just seems so easy that the !defined() method would not be so popular.

eelixduppy

3:37 am on Jul 17, 2008 (gmt 0)

The most common way of doing this is to keep your included files ABOVE the web root directory and therefore it will not be accessable from the web. As far as making them portable, I usually have a configuration file that defines the path to the includes directory, so fo instance, it could look something like this:


# path to include directory above web root
define('INCLUDE_DIR', '/path/to/includes/');

And then when you use it in your code it would always look like this:


require('config.php');
include(INCLUDE_DIR . 'file.php');

As far as answering your question, however, what you have at quick glance looks OK but I would go with the other option if I were you.