Assuming you have Apache/Unix (don't know about any other set-ups), I do the following.
1. Name all included files .inc I do this for many reasons, but mainly to help me know which are executables, and which are includes. It also helps with step 3. 2. I always keep them in a separate dir to the rest of my code, eg /inc/ 3. Include a .htaccess file in the /inc/ directory (or further up towards your docroot with the following: <Files ~ "\.inc$"> Order Allow,Deny Deny from all </Files> Basically, it denies direct (http) access to all *.inc files. This means the only way you can use/view/execute .inc files is by things like include() in another php script. I believe that Apache spits out a 500 error page if you try to access something.inc via the URL. 4. In addition (and a small deterrent in itself if step 3 is unavailable), I include a blank or redirecting index.html file in the /inc/ directory, so that they can't view the directory listing at all. An additional security measure might be to ensure that only certain scripts can access the inc files, but I haven't gone that far yet :) I'm unsure how well this prevents other users on the server from accessing the files though. Unfortunately this will require the admin to allow you to use htaccess files in your on disk hierarchy, or possibly requesting him/her to make the changes needed themselves. Justin French on 28/06/02 6:25 PM, Nick Wilson ([EMAIL PROTECTED]) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all > I'm setting up a site for a client and his host refuses to create (or > allow me to) a directory outside of the http root. > > How might I make an 'includes' dir inside the http root and stop users > being able to browse it? > > Many thanks > - -- > Nick Wilson // www.explodingnet.com > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > > iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y > Frz+dRz/FyOCSvXdXl9MytE= > =AAVD > -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php