> -----Original Message----- > From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]] > Sent: 26 September 2002 16:09 > > as long as that same session code is present at the top of > all the included files that are put in later. basicaly you > need to put the session code in every page (even if you only > intend use it as an include) you wish to protect otherwise > its contents can be read by directly typing in the url in the > same way that you can read included .js and .css files.
... and this is precisely why all your include files should be in directories which are not servable by your Web server -- if your Web server can't serve them, then they can't be "accidentally" served by someone typing their URL in directly, because they don't have a URL! Personally, I don't put *any* files with live code in http-servable directories. All of my PHP scripts that Apache can serve as "top-level" scripts look pretty much like this: <?php ini_set('include_path', '../../dir-not-in-http-space/include'); require 'the_real_script.php'; ?> Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php