> Hi!
>
> I want my include-files not be seen from outside AND not be executed!!!
> I don't have access to a directory outside DOCUMENT_ROOT and I don't have
> .htaccess!!!
>
> I think about something like:
> 1.
> name: <file>.inc.php
> 2.
> add code:
> if ($PHP_SELF==MY_NAME) exit;
> as first line in the inluded script.
> so, if the script is being included from another script, the code will be
> executed - but if the file will be called directly, no code is executed!
> BUT - how do I get the include-file's name?
>
> or is it safe enough, to use something like
> if (substr($SCRIPT_URL,-8)==".inc.php") exit;
I'm not sure what is your $SCIRPT_URL is.
It could be not safe if user request like,
test.inc.php?abc=123
test.inc.php?SCRIPT_URL=123
Since it is comparing last 8 chars and it is not using
$HTTP_SERVER_VARS['SCRIPT_NAME']
(SCRIPT_URL is a typo of SCRIPT_NAME or SCRIPT_FILENAME??)
If I were you, I will put
if (substr($HTTP_SERVER_VARS['SCRIPT_NAME'], -8) == '.inc.php' )) {
log_error('Bad request from '.HTTP_SERVER_VARS['REMOTE_ADDR']);
header('400: Bad Request');
// header('403: Forbidden'); // You might use this header instead or
redirect to your own warning page.
exit;
}
If you can use $HTTP_SERVER_VARS, using it is safer.
Regards,
Yasuo Ohgaki
>
> thanks
> michi
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
