Assuming you have Apache/Unix (don't know about any other set-ups), I do the

1. Name all included files .inc I do this for many reasons, but mainly to
help me know which are executables, and which are includes.  It also helps
with step 3.

2. I always keep them in a separate dir to the rest of my code, eg /inc/

3. Include a .htaccess file in the /inc/ directory (or further up towards
your docroot with the following:

<Files ~ "\.inc$">
    Order Allow,Deny
    Deny from all

Basically, it denies direct (http) access to all *.inc files.  This means
the only way you can use/view/execute .inc files is by things like include()
in another php script.  I believe that Apache spits out a 500 error page if
you try to access via the URL.

4. In addition (and a small deterrent in itself if step 3 is unavailable), I
include a blank or redirecting index.html file in the /inc/ directory, so
that they can't view the directory listing at all.

An additional security measure might be to ensure that only certain scripts
can access the inc files, but I haven't gone that far yet :)

I'm unsure how well this prevents other users on the server from accessing
the files though.

Unfortunately this will require the admin to allow you to use htaccess files
in your on disk hierarchy, or possibly requesting him/her to make the
changes needed themselves.

Justin French

on 28/06/02 6:25 PM, Nick Wilson ([EMAIL PROTECTED]) wrote:

> Hash: SHA1
> Hi all
> I'm setting up a site for a client and his host refuses to create (or
> allow me to) a directory outside of the http root.
> How might I make an 'includes' dir inside the http root and stop users
> being able to browse it?
> Many thanks
> - -- 
> Nick Wilson     //
> Version: GnuPG v1.0.6 (GNU/Linux)
> iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y
> Frz+dRz/FyOCSvXdXl9MytE=

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to