Concealing PHP Libraries
Many a hacker has learned of weaknesses by downloading include files or data that are stored alongside HTML and PHP files in the web server’s document root. To prevent this from happening to you, all you need to do is store code libraries and data outside the server’s document root.
For example, if the document root is
/home/httpd/html
, everything below that
directory can be downloaded through a URL. It is a simple matter to
put your library code, configuration files, log files, and other data
outside that directory (e.g., in
/usr/local/lib/myapp
). This
doesn’t prevent other users on the web server from
accessing those files (see Section 12.4 earlier in this chapter),
but it does prevent the files from being downloaded by remote users.
If you must store these auxiliary files in your document root, you can configure the web server to deny requests for those files. For example, this tells Apache to deny requests for any file with a .inc extension, a common extension for PHP include files:
<Files ~ "\.inc$"> Order allow,deny Deny from all </Files>
If you store code libraries in a different directory from the PHP
pages that use them, you’ll need to tell PHP where
the libraries are. Either give a path to the code in each
include( )
or require( )
, or
change include_path
in
php.ini
:
include_path = ".:/usr/local/php:/usr/local/lib/myapp";
Get Programming PHP now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.