To add to this - you should place critical information (like passwords, etc)
outside the document root. That way, even if the server is mis-configured,
others wont be able to easily gain access to those files

-----Original Message-----
From: Jason Wong [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 01, 2002 3:38 PM
Subject: Re: [PHP] include()

On Thursday 01 August 2002 15:28, Lord Loh. wrote:
> I suppose include() can be used to include files from remote systems(not
> So, How can I protect my script from unauthorised inclusions ?
> A webmaster on the same server can always use a path like
> "/home/htdocs/.../config.php" and include my config .php which contains my
> database password !!
> Even a web master from a remote server can do the same by probably using
> I am using windows 2000/apache/php so I really have not tried these...but
> the docs say it can be done(remote system inclusion except on win)

When you include() a remote file eg:

it only includes the OUTPUT of Thus if all 
config.php does is assign some values to variables, ie produces no output, 
then the result of the include is nothing. 

Basically if you have a correctly configured webserver then there is no need

to worry about people remotely including your scripts (because all they see 
is the HTML produced by your script).

Jason Wong -> Gremlins Associates ->
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

"There is no statute of limitations on stupidity."
-- Randomly produced by a computer program called Markov3.

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to