> -----Original Message-----
> From: Griffiths, Daniel [mailto:[EMAIL PROTECTED]]
> Sent: 26 September 2002 16:09
> as long as that same session code is present at the top of 
> all the included files that are  put in later. basicaly you 
> need to put the session code in every page (even if you only 
> intend use it as an include) you wish to protect otherwise 
> its contents can be read by directly typing in the url in the 
> same way that you can read included .js and .css files.

... and this is precisely why all your include files should be in directories which 
are not servable by your Web server -- if your Web server can't serve them, then they 
can't be "accidentally" served by someone typing their URL in directly, because they 
don't have a URL!

Personally, I don't put *any* files with live code in http-servable directories.  All 
of my PHP scripts that Apache can serve as "top-level" scripts look pretty much like 

   ini_set('include_path', '../../dir-not-in-http-space/include');
   require 'the_real_script.php';



Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211 

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to