9

We all have php files like 'connect_db.php' for include purposes only.

Suppose I have all those inclusive .php files in "www/html/INC"

And I have index.php

I want index.php accessible from browser to everyone, but I want to prevent users' direct access to "www/html/INC" folder. (e.g. when type in the browser 'www.domain.com/INC/' -> 404 error etc)

How do I achieve this?

Preferrably using .htaccess file in the root directory please.

user706087
  • 359
  • 1
  • 5
  • 17

5 Answers5

12

Something like

<Directory /INC>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Directory>

should work.

Shadikka
  • 4,116
  • 2
  • 16
  • 19
6

How do I achieve this?

Don't. As per my previous answer, it's much more secure to put connect_db.php in /www/, not in /www/html/INC/. If you are going to do so, then you'd use /www/html/.htaccess:

<Directory "/www/html/INC">
   order allow,deny
   deny from all
</Directory>
Community
  • 1
  • 1
Berry Langerak
  • 18,561
  • 4
  • 45
  • 58
  • thanks but if I put files higher than document root, then how can I include the connect_db.php file by alsolute directory path? I used include $_SERVER['DOCUMENT_ROOT']."/INC/connect_db.php"; before. – user706087 Jun 07 '11 at 12:41
  • also should i put images higher than the root? if then how can I link it by using $_SERVER['SERVER_NAME'] or other? – user706087 Jun 07 '11 at 13:06
  • No. You could, but I wouldn't. It's for critical files. To include the file, use include $_SERVER['DOCUMENT_ROOT'] . '/../connect_db.php'; – Berry Langerak Jun 07 '11 at 13:08
  • You can include PHP files, using absolute path too (/var/www/...). It's your choice. – bksi Oct 25 '12 at 22:57
  • @bksi Definitely, my point was more that you shouldn't put the files in a web-accessible directory. For code portability however, I would make the include relative to the current directory instead of using a static absolute path. – Berry Langerak Oct 29 '12 at 09:24
5

Google searches have brought me here so I figured I'd post what I found in the apache docs today. I'm not positive what versions of apache it is available in, but do a search for your version to verify.

Now you can just use Require local. I'd recommend putting an .htaccess in the folder that you want to restrict access to with just that line. However, if you must do it in the root directory then here's what it would be:

<Directory "www/html/INC">
    Require local
</Directory>
nickell
  • 389
  • 2
  • 14
2

As of Apache 2.4, Require is the way to go.

E.g. the following denies access to the /www/html/INC directory by anyone except localhost:

<Directory "/www/html/INC">
    Require all granted
    Require ip 127.0.0.1
</Directory>
Domi
  • 22,151
  • 15
  • 92
  • 122
1

Move connect_db.php to the more high level in directories tree, than public directory.
And all scripts, which should not be executable - too.

/home/user/project/incs/ -- here your inclusive scripts
/home/user/project/www/html -- here your index.php and other executable scripts.

OZ_
  • 12,492
  • 7
  • 50
  • 68