Most web accounts have at least one or two directory levels behind the public directory. Simply place the files behind the public directory and call them into your main script from there. Absolutely no reason those files need to be publically accessible. -Kevin
----- Original Message ----- From: "Jacob Copsey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 15, 2003 1:02 PM Subject: [PHP] Security in included PHP files > I am beginning work on a new web-based application using PHP and MySQL. I > have been doing a lot of reading about PHP security and web application > security in general to make sure I am up-to-date on what is known in this > area. > > My style of PHP is to name all included files with a .php extension and of > course this raises the problem of people accessing these script files > directly. My main question is if all of the code inside an included PHP file > is put inside one or more functions this should prevent anyone from running > any of that code by directly calling that PHP file correct? There is no way > for them to invoke a function just from a URL assuming I have no code at all > outside the functions. > > And this leads to another question... if I encapsulate most of my variables > inside one or more classes doesn't this help protect against attacks also? > Is there a way for someone to set a class variable to a value just from a > GET or POST request (or even file or cookie)? As long as I am carefully > validating what information I put into the object variable this seems to be > a way of adding another layer of protection. > > Any thoughts or comments regarding this and any other issues I should take > into consideration regarding security are welcome. > > Jacob > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
