Have you thought about moving your include files outside of the web directory?
i.e. If your site is in ../apache/htdocs/web/mywbsite_folder then move your include files to ../apache/my_include_folder/ or something similar. -john =P e p i e D e s i g n s www.pepiedesigns.com Providing Solutions That Increase Productivity Web Developement. Database. Hosting. Multimedia. On Wed, 15 Jan 2003, Jacob Copsey wrote: > I am beginning work on a new web-based application using PHP and MySQL. I > have been doing a lot of reading about PHP security and web application > security in general to make sure I am up-to-date on what is known in this > area. > > My style of PHP is to name all included files with a .php extension and of > course this raises the problem of people accessing these script files > directly. My main question is if all of the code inside an included PHP file > is put inside one or more functions this should prevent anyone from running > any of that code by directly calling that PHP file correct? There is no way > for them to invoke a function just from a URL assuming I have no code at all > outside the functions. > > And this leads to another question... if I encapsulate most of my variables > inside one or more classes doesn't this help protect against attacks also? > Is there a way for someone to set a class variable to a value just from a > GET or POST request (or even file or cookie)? As long as I am carefully > validating what information I put into the object variable this seems to be > a way of adding another layer of protection. > > Any thoughts or comments regarding this and any other issues I should take > into consideration regarding security are welcome. > > Jacob > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
