Great! I was just looking for confirmation that my assumptions in my original post were correct. I have been using PHP for quite some time but have never read a specific article about possible attacks that allow modification of values in a class object or execution of functions in a PHP script. It is rarely safe to assume things when it comes to security so I figured I would ask.
Thanks again for responding. --Jacob "John W. Holmes" <[EMAIL PROTECTED]> wrote in message 003801c2bd13$01fc85b0$7c02a8c0@coconut">news:003801c2bd13$01fc85b0$7c02a8c0@coconut... > You already have your solution in your original question, then. If you > don't want to use any of these other techniques, then name your files > with a .php extension (I use .inc.php) and enclose everything in classes > or function. If you're just aware that your included files can be run > out of context, and program accordingly, your scripts will be just fine. > > > An include file full of functions or classes will not "run" anything > when called, it'll simply load it into memory. > > ---John W. Holmes... > > PHP Architect - A monthly magazine for PHP Professionals. Get your copy > today. http://www.phparch.com/ > > > -----Original Message----- > > From: Jacob Copsey [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 15, 2003 3:53 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] Security in included PHP files > > > > I agree these are good solutions and I have considered them. However, > I am > > looking for an all-inclusive solution that is code only within PHP > that > > allows the admin of the application to copy the files to their server > and > > not need to do any server specific configuration. That is why I don't > name > > the included files with .inc. It would require configuration of the > server > > to prevent downloading of those files and I don't want to require that > > step > > of people who choose to run the app on their server. > > > > Thanks for the input! > > > > Jacob > > > > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > --- Jacob Copsey <[EMAIL PROTECTED]> wrote: > > > > My style of PHP is to name all included files with a .php > > > > extension and of course this raises the problem of people > > > > accessing these script files directly. > > > > > > I always name included files *.inc myself, but that's a > > > personal preference combined with a strong desire to adhere > > > to strict naming conventions. > > > > > > It is very easy to make sure people cannot access your > > > include files directly. There are two common ways to do > > > this, and I will mention my preference first. > > > > > > 1. Do not store your include files under document root. > > > This is a very simple and straightforward approach that > > > negates all of the types of questions you were asking. > > > > > > 2. Deny access to any file with an extension of inc. Of > > > course, you would have to conform to a naming standard a > > > bit more for this to work. A quick Google search revealed > > > this example for Apache: > > > > > > <Files ~ "\.inc$"> > > > Order Allow, Deny > > > Deny from all > > > </Files> > > > > > > Chris > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
