hi, here is what i wud have done, though i haven't tried it.

change the file permission of file1.php to 0
so that no one will find that you have file1.php residing on ur server

from file2.php change the chmod of file1.php and then include it.

;)

[edited by: haamro at 2:02 pm (utc) on Jan. 8, 2009]

Seems like a nice solution... I was wondering if I could provide the solution to the cms community, however this would mean that the attackers will have knowledge of the chmodding and they would be able to circumvent it... however, other than this, I do not believe there is another way to do what i need... *shrug* I guess I will keep searching around and see...

Thanks for your reply haamro, it helped me a lot!

If someone is running shells scripts on your server there is a bigger issue here than them including a file into a PHP script.

Hi eelixduppy. Indeed. I am on shared hosting, and I was told by my hosting company at a certain point in the past that another account had been hacked and the attacker used a shell script to gain access to the server. Apparently they managed to do some neat stuff there, and contained the breach, but the attacker gained access to the mysql servers finding configuration on files used by CMS software to connect. This is why I would like to modify the cms i use to only be able to include that file1 (with mysql config and connection data) on file2 (where i unset the config and con data after use).

My account files were mostly unharmed, and no edits were registered on the server. The times were all old... so they did not touch my files. However I would like to stay on the safe side because no one can assure if they grabbed my data, or if they infected other accounts on the server and could try that game again. This is where I am coming from with this question on this thread. Probably there could be other things i could do to stay safer... but if file1 is meant to be included ONLY by file2... I think there should be a way for it to STAY that way... wouldn't you guys agree!?

Unfortunately I do not think you are going to be able to do this. Using haamro's solution up above should still allow all other PHP scripts to access that file, as well, not JUST file2.php. In order for ONLY file2 to be able to include this data is if the data was written directly into file2 to begin with, and there was no separate configuration file for this info. Other than that I don't see a secure way of doing this. All I can say is that if you are really concerned with someone hacking your files you might want to consider moving to another host.

I don't think there's any way to restrict access to a PHP script on a shared server. The web server still has to be able to read it, and other users can easily gain the web server's permissions just by writing and running a script.

Much appreciated replies guys!

Will have to move to another server for this website. Thanks for your help.

[Case Closed]