On Tue, 2003-08-05 at 18:49, Jeff Waugh wrote: > <quote who="Andrew McNaughton"> > > > Several approaches come to mind: > > > > 1) change the suffixes of all includes (eg to .inc). Arrange for apache > > to deny access to any .inc files - and while you're at it, deny access to > > any other extension not in your mime.types file. That helps with things > > like .php~ files left around by emacs users. > > > > 2) deny access to any directory with a path containing '/inc/'. Maybe add > > a few other names as well. > > > > 3) drop .htpasswd files into appropriate directories with directives to > > block access. > > 4) Create a user-specific and possibly host-specific filesystem location for > includes, and add that dir to the php_includes variable in .htaccess or > virtualhost directives. This is easy to administer, applicable across the > entire hosting environment, and very easy to ensure compatibility with stuff > you download (rather than author yourself). ;-)
You can do the same trick by dropping a php.ini in the directory with the php files (or is it the working directory? I can never remember). Not really anything gained, but it may prove more convenient for you. Read about the search path php uses on php.net. You can also set this stuff dynamically with php code. You could use that prepend directive in php to do it. I like keeping my includes out of the document root -- in general I don't see that it gains much, but it's nice knowing that it's one less aspect of the scripts that I need to secure. It was a real pain on systems that used Plesk though. James. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
