Hiding scripts outside public_html folder

ringo747

ringo747

ringo747

Soldato
Joined
1 Feb 2006
Posts
8,188
Hi,

As title suggests really. I have a number of php scripts that I don't want to be able to be called from public folder. I have another folder outside my public folder and i set a php include path in one of the .htaccess files.

Just curious to know what all you guys put in an external folder and how you call it? Is there any best practice for this?

I have a number of simple includes files like headers and so on which I will reference on every page. I don't want someone to be able to access this directly in the url bar. Should this be dumped into a non-public folder?

Also I have things like file generation scripts. This obviously should be included outside the public folder.

In summary, should any file which i call using php include() be stored outside public folder so it cannot be accessed directly?

Thanks
 
I name my application-internal PHP files like *.inc.php, and use this in my .htaccess where I put them :
Code: 
<Files *.inc.php>
deny from all
</Files>
You can do a similar thing with a RewriteRule if you want to name them in a more complex way, and match them with a regex.

The publically-accessable *.php files can still include() the *.inc.php's, but they can't be accessed directly through the web server via a HTTP request. (They don't show up in directory indexes either)
 
Of you can put a declaration at the top of your PHP file "if not defined $specialvariable then die" and make sure you define it when you create your program.

If the guys who made joomla do it, its good enough for me. And no accidents either.
 
You must log in or register to reply here.
Back
Top Bottom