On Thursday 01 August 2002 15:28, Lord Loh. wrote:
> I suppose include() can be used to include files from remote systems(not on
> So, How can I protect my script from unauthorised inclusions ?
> A webmaster on the same server can always use a path like
> "/home/htdocs/.../config.php" and include my config .php which contains my
> database password !!
> Even a web master from a remote server can do the same by probably using
> http://www.xyz.net/config.php
> I am using windows 2000/apache/php so I really have not tried these...but
> the docs say it can be done(remote system inclusion except on win)

When you include() a remote file eg:


it only includes the OUTPUT of http://www.xyz.net/config.php. Thus if all 
config.php does is assign some values to variables, ie produces no output, 
then the result of the include is nothing. 

Basically if you have a correctly configured webserver then there is no need 
to worry about people remotely including your scripts (because all they see 
is the HTML produced by your script).

Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

"There is no statute of limitations on stupidity."
-- Randomly produced by a computer program called Markov3.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to