Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    Aug 2006
    Location
    California
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Post How do I call files that are in a non-web-accessible directory?

    I’m new to PHP, and I have a fairly easy question to ask concerning the “include” and “require” functions to secure my site. I’m having trouble calling the files from a non-web accessible directory.

    I basically created a directory called “includes”. I then moved all my php files to that directory. After which I created and implemented the following code in the web accessible root directory:

    require (“/www/includes/index.php”); (wouldn't parse, tried it without /www/)


    require ('C:\Program Files\xampp\htdocs\mywebsite\header.php'); (I tried that code locally and it worked , but it didn’t work when I tried typing index.php , or when placing the files in the includes directory.)

    All in all, I’ve tried to call the files in /includes/index.php online, but nothing seemed to work. And have tried this method on both my local, and online server. Is there something I’m missing, or doing wrong?


    Thank you for your time.

  • #2
    Regular Coder musher's Avatar
    Join Date
    Jan 2005
    Location
    Minnesota
    Posts
    203
    Thanks
    0
    Thanked 0 Times in 0 Posts
    elegion,
    first you can either use require or include (here's the difference)
    The two constructs are identical in every way except how they handle failure. include() produces a Warning whilerequire() results in a Fatal Error. In other words, use require() if you want a missing file to halt processing of the page. include() does not behave this way, the script will continue regardless.
    ok now on to your code, if the file your calling the include from is your root and you have a directory under your root call includes this is how it would look
    PHP Code:
    require('includes/header.inc'); 
    should do it, I normally use require_once if the file has already been included once it won't need to be re-read.
    PHP Code:
    require_once('includes/header.inc'); 
    you can call your files what ever you want (ie. header.php) I normally call them ?????.inc just to help me keep things organized.
    Last edited by musher; 08-22-2006 at 05:43 AM.
    Thanks
    Jim M

    "Lord, help me to become the person my dog thinks I am" - Dawn Ewing
    "If you must know. Yes, I do enjoy running after the dog sled when I fall off" - Me

    www.huskyzone.com -- Woodland Siberians

  • #3
    Regular Coder
    Join Date
    Oct 2003
    Posts
    603
    Thanks
    2
    Thanked 1 Time in 1 Post
    can you include files from non-accessible directories??

  • #4
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Quote Originally Posted by musher
    you can call your files what ever you want (ie. header.php) I normally call them ?????.inc just to help me keep things organized.
    Word of warning, if your included files end in .inc, most browsers will be able to read that file as if it were a text file. So your raw source code is available to prying eyes. Better to use filename.inc.php if you're inclined to use .inc in your naming convention.

    To the OP, I'm not sure files a directory that isn't accessible to the web can be included. I include files in a directory with restricted permissions (I use chmod 744), but I wouldn't consider that non-web accessible.

  • #5
    Regular Coder musher's Avatar
    Join Date
    Jan 2005
    Location
    Minnesota
    Posts
    203
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fumigator
    Word of warning, if your included files end in .inc, most browsers will be able to read that file as if it were a text file. So your raw source code is available to prying eyes. Better to use filename.inc.php if you're inclined to use .inc in your naming convention.
    Thanks Fumigator (I think, boy do I have a bunch of files and code to change now),

    I basically created a directory called “includes”. I then moved all my php files to that directory. After which I created and implemented the following code in the web accessible root directory:
    .... I took that as he created an includes dir under the root

    elegion what do you mean by a "a non-web accessible directory"
    Thanks
    Jim M

    "Lord, help me to become the person my dog thinks I am" - Dawn Ewing
    "If you must know. Yes, I do enjoy running after the dog sled when I fall off" - Me

    www.huskyzone.com -- Woodland Siberians

  • #6
    New to the CF scene
    Join Date
    Aug 2006
    Location
    California
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally Posted by Musher
    .... I took that as he created an includes dir under the root

    Mucher that’s true, within my root directory online I created an “includes” folder wherein I temporarily CHMOD the file permissions to a world writable 777 to see if I could call those files, but nothing happened. 777 would’ve exposed the directory. I then changed the directory back to its original 755. Fumigator I haven’t tried the 744 yet.


    Originally Posted by Musher
    elegion what do you mean by a "a non-web accessible directory"
    Non-web accessible it’s basically a directory that’s not viewable by the public , none of your users are able to access certain portions of your site through an url, only that which you, or the webmaster have placed in the root directory. I created a fall back .htaccess file, but I still can't call the file.

    Exp, from another forum:

    "I believe you can simply put the included file in a non-web-accessible directory:

    PHP Code:
    include "/home/myself/includes/somefile.php"; [/B
    This was the answer given to when someone helped someone else.

    Originally Posted by boeing747fp
    can you include files from non-accessible directories??
    Yeah, or so It’s stated in the following article, which is listed under the section Access Control Flaws. I stumbled across that particular article while doing a massive google for the answer, and creating my phpwebsite template. You can also include files that are on a completely different server.

    Here’s the physical link: http://www.sitepoint.com/print/php-security-blunders


    Following the examples in that article I went upon creating an “includes” folder in /www/includes, but because of the php.ini file I soon found that php.ini had the ability to change and allow php to configure not only register_globals, but on how code was parsed through php.

    So with that knowledge I recreated the “includes “ directory within my site’s root directory. /mysite/includes

    I read the user comments at php.net/includes to find at least one hint, unfortunately the closest comment to my plight was on how to call a file from a remote server, which they insisted would lead to a security risk.

    Of course, nothing would answer this fundamental question, and that perhaps, my host knew which directory was non-web accessible. And that in order for me to call these files, my host would have to modify the httpd.conf file in Apache.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •