> > Hi!
> >
> > I want my include-files not be seen from outside AND not be executed!!!
> > I don't have access to a directory outside DOCUMENT_ROOT and I don't
> have
> > .htaccess!!!
> >
> > I think about something like:
> > 1.
> > name: <file>.inc.php
> > 2.
> > add code:
> > if ($PHP_SELF==MY_NAME) exit;
> > as first line in the inluded script.
> > so, if the script is being included from another script, the code will
> be
> > executed - but if the file will be called directly, no code is executed!
> > BUT - how do I get the include-file's name?
> >
> > or is it safe enough, to use something like
> > if (substr($SCRIPT_URL,-8)==".inc.php") exit;
>
> I'm not sure what is your $SCIRPT_URL is.
> It could be not safe if user request like,
>
> test.inc.php?abc=123
> test.inc.php?SCRIPT_URL=123
>
> Since it is comparing last 8 chars and it is not using
> $HTTP_SERVER_VARS['SCRIPT_NAME']
> (SCRIPT_URL is a typo of SCRIPT_NAME or SCRIPT_FILENAME??)
>
> If I were you, I will put
>
> if (substr($HTTP_SERVER_VARS['SCRIPT_NAME'], -8) == '.inc.php' )) {
> log_error('Bad request from '.HTTP_SERVER_VARS['REMOTE_ADDR']);
> header('400: Bad Request');
> // header('403: Forbidden'); // You might use this header instead or
> redirect to your own warning page.
> exit;
> }
>
>
> If you can use $HTTP_SERVER_VARS, using it is safer.
Many thanks!
I found the following Variables, that hold the scriptname, but no
Get-Variables (as QUERY_STRING would do!)
- and calling script.inc.php?SCRIPT_NAME=xxx.php doesn't change the
Variable!!!
HTTP_SERVER_VARS["SCRIPT_FILENAME"]
HTTP_SERVER_VARS["SCRIPT_URI"]
HTTP_SERVER_VARS["SCRIPT_URL"]
HTTP_SERVER_VARS["SCRIPT_NAME"]
HTTP_SERVER_VARS["PATH_TRANSLATED"]
HTTP_SERVER_VARS["PHP_SELF"]
So - which one should I use???
Thanks
michi
--
Sent through GMX FreeMail - http://www.gmx.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
