All included scripts inherit the variables of the parent script, so you
could test for numerous server variables like the name of the parent script
(PHP_SELF), or the domain name being used, etc etc.  If it's not what you
expected, spit out an error.

something like

if($_SERVER['PHP_SELF'] == "mydir/myscript.php")
    // do all this stuff
    // do nothing

$_SERVER['HTTP_HOST'] might be a better option than $PHP_SELF, given that
you would include a config file on every page.

Other users on the same server *shouldn't* be able to include() in this way
though, if the server is set-up right.

Nothing is ever 100% secure, but if your host hasn't even attempted to plug
these holes, change hosts.

As far as people go on other servers, they can only call your script via
HTTP, and get the *output* of the script, not the script itself.

1. if your config file doesn't output any text or HTML to the browser, then
they'll get a blank document

2. if you name all your included PHP scripts with .inc (or anything other
than .php) AND set a .htaccess file to forbid *.inc files from being server
via HTTP, then there is very little chance of another webmaster obtaining
your passwords et al over HTTP.

My .htaccess file has:

<Files ~ "\.inc$">
    Order Allow,Deny
    Deny from all

Good luck!

Justin French

on 01/08/02 5:28 PM, Lord Loh. ([EMAIL PROTECTED]) wrote:

> I suppose include() can be used to include files from remote systems(not on
> So, How can I protect my script from unauthorised inclusions ?
> A webmaster on the same server can always use a path like
> "/home/htdocs/.../config.php" and include my config .php which contains my
> database password !!
> Even a web master from a remote server can do the same by probably using
> I am using windows 2000/apache/php so I really have not tried these...but
> the docs say it can be done(remote system inclusion except on win)
> Lord Loh.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to