To add to this - you should place critical information (like passwords, etc) outside the document root. That way, even if the server is mis-configured, others wont be able to easily gain access to those files
-----Original Message----- From: Jason Wong [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 01, 2002 3:38 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] include() On Thursday 01 August 2002 15:28, Lord Loh. wrote: > I suppose include() can be used to include files from remote systems(not on > WINDOWS). > > So, How can I protect my script from unauthorised inclusions ? > > A webmaster on the same server can always use a path like > "/home/htdocs/.../config.php" and include my config .php which contains my > database password !! > > Even a web master from a remote server can do the same by probably using > http://www.xyz.net/config.php > > I am using windows 2000/apache/php so I really have not tried these...but > the docs say it can be done(remote system inclusion except on win) When you include() a remote file eg: http://www.xyz.net/config.php it only includes the OUTPUT of http://www.xyz.net/config.php. Thus if all config.php does is assign some values to variables, ie produces no output, then the result of the include is nothing. Basically if you have a correctly configured webserver then there is no need to worry about people remotely including your scripts (because all they see is the HTML produced by your script). -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* "There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
