protect php includes (with htaccess?)

Anonymous picture Anonymous · Jun 7, 2012 · Viewed 7.8k times · Source

First of all, I'm pretty sure a similar question will be on Stack Overflow, but I didn't really find it. Probably because I am using the wrong keywords. So don't shoot me because of that.

What my question basically is, I want to include php files, but I only want them to be included and not for people to be opened with their browser. They should get an error.

For example I have an includes directory with a php file which contains my connection to a DB (password etc.. dangerous?) . I want to be able to include it, but I don't want people to directly visit the page.

Will putting a password on the includes directory with htaccess fix my problem? First I thought it wouldn't, because it would be weird that pages can be included for users that don't have access to it. But it seems to work, how does this come? Is there an other better option ? What do web developers usual do?

And also can I do something similar for javascript files? My guess is that this won't be the case, but I'm just asking. The js file contains ajax calls to certain pages, but I guess I'm happy if I can protect the php pages from visiting.

Anyway thanks in advance :)

Answer

derobert picture derobert · Jun 7, 2012

I think explaining how the pieces work together will help clear up the confusion.

A request comes in (from the user's web browser). Your web server (in this example, Apache) receives this. First, it checks the <Location> permissions. Then it looks through the rest of the configuration, and eventually maps the request URI to the filesystem. Now, finally, it can check <Directory> permissions as well as .htaccess.

If any of those permission checks fails (e.g., deny from all), Apache stops processing the request, and sends back an error (or request for username & password in the case of HTTP Basic authentication).

Once all the permission checks pass, Apache looks at the file, and notices that its a .php file. Somewhere in your (or your web host's) Apache config, there is an AddHandler directive that tells Apache to pass this request on to the PHP engine (which could be mod_php, or via fast cgi). (For most files, it instead sends the contents of the file to the browser. But script files are special, because of that AddHandler.)

Now, PHP reads your script file. It then also reads your include files directly. This doesn't go back through Apache, so things like .htaccess do not apply. It also means that your PHP includes do not need to be in your document root. They can be anywhere that the PHP process can access (based on UNIX permissions and PHP configuration). Setting an include_dir in your php.ini makes it easy to put these wherever.

Client-side JavaScript is run by the user's browser. It isn't interpreted server-side (like PHP is). So the user must be able to access it, just like the user must be able to access your .html files.

So, in short:

  • You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all.
  • You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).