Hold on... This isn't EnnuiDesign.com — What Gives?
It's been a long time coming, but Jason Lengstorf, formerly of Ennui Design, has expanded his team to include Drew Douglass, Rob MacKay, Henry Moran, and Tom Sturge.
It didn't feel right to keep the same name, so we decided to continue on as Copter Labs. You can expect the same great content under this new name!
Protect Non-Public Files with .htaccess
If you've ever built a web app, you're probably familiar with the idea of breaking your code up into smaller pieces, then including those files using include_once or require_once. This practice can speed up your application, help you organize your code better, and increase the portability of code in future projects. Another benefit that file inclusion offers that's often overlooked, however, is enhanced security.
For example, nearly every app that I write reads to or writes from a database. To speed up the connection process, I've written a database class that I simply include in new projects, allowing me to easily open the connection and just keep on coding.
The information used in the included database file is sensitive data that could be troublesome in the wrong hands (i.e. the username and password for my database), and while separating it from the publicly displayed index.php is a step in the right direction, it's not enough to keep a mischievous user from getting to the information.
The Easy Way
If you're lucky enough to have access outside of your root folder on your server, you can simply store your include files outside of the root folder, preventing direct access from the Internet at large.
File Protection for the Rest of Us
If you're like me, however, you're on a shared hosting plan without access to folders above document root. Bummer, right?
Wrong! Hope's not lost for those of us with limited server access; we can still prevent access to our files with .htaccess (provided you're on an Apache server, of course).
Using only four lines, we can make it significantly more difficult for a malicious user to get access to the sensitive information in our included files (assuming you've saved your include files with the extension *.inc):
<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>
Additional Protection
As an additional precaution, you may want to set your server to parse PHP in *.inc files, just in case someone manages to navigate to an include file directly (i.e. http://example.org/dbconnect.inc). By default, servers generally serve unknown file extensions to a browser as content-type "text/plain"; this means your code would be displayed as is, with all of your variables in plain sight.
This, for obvious reasons, is undesirable. However, it's pretty simple to fix this issue and tell your server to handle *.inc files as PHP, therefore no longer showing the contents as plain text.
To set your server to process *.inc files as PHP, you'll need to add an AddType handler:
AddType application/x-httpd-php .inc
Talk Nerdy to Me
How do you protect sensitive information on your sites? Let me know in the comments!
Jason Lengstorf
Jason Lengstorf a turbogeek hailing from Portland, Oregon. He designs and develops websites using PHP, MySQL, JavaScript (jQuery), CSS, and HTML. He's written two books (PHP for Absolute Beginners [2009 Apress] and Pro PHP and jQuery [2010 Apress]), and he's written articles on development and design for Nettuts, CSS Tricks, and Smashing Magazine, among others.
Comments.
Nice post. I've never built my own script, but I am diving into some php and other codes trying to learn how and this will come in handy. Thanks for posting it. It's definitely bookmarked :)
Oh, and your site design is awesome :)
Mike Smith 7:14pm Feb 17, 2009 permalink | flag
Thanks man,really easy
Thato obuseng 6:21am Aug 4, 2010 permalink | flag
The greatest gifts in life are not purchased, but acquired through hard work and determination. Find the star that twinkles in your heart?for you alone are capable of making your brightest dreams come true. Give your hopes everything you've got and you will catch the star that holds your destiny.
Air force nike pas cher 7:25pm Oct 18, 2011 permalink | flag
If you're lucky enough to have access outside of your root folder on your server, you can simply store your include files outside of the root folder, preventing direct access from the Internet at large.
cheap nfl jerseys 2:48am Oct 19, 2011 permalink | flag
Using only four lines, we can make it significantly more difficult for a malicious user to get access to the sensitive information in our included files (assuming you've saved your include files with the extension *.inc):
cheap jerseys from jerseys 3:16am Oct 29, 2011 permalink | flag
Your blog is very informative.This is obviously one great post.i keep on reading articles from here.
thanks for sharing..
Claude Giroux Jersey 8:55pm Oct 30, 2011 permalink | flag
We was looking for something completely different, but found your web page! And have to say thanks.
Daniel Carcillo Jersey 8:55pm Oct 30, 2011 permalink | flag
WKLOU44G01YFMK7OMC
ugg boots aspires to make cozy covers for the very cold feet
ugg boots clearance 8:31pm Oct 31, 2011 permalink | flag
Nice to be visiting your blog again Herve Leger, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article Herve Leger Dresses. Thanks, great share.
herve leger 9:01pm Nov 27, 2011 permalink | flag
It’s actually a nice and useful piece of info. I am glad that you shared this useful info with us. Please keep us up to date like this. Thanks for sharing.
Azelex azelaic acid 2:21am Feb 7, 2012 permalink | flag
I found your website perfect for my needs. It contains wonderful and helpful posts. I have read most of them and got a lot from them.
Ken Griffey Jr Shoes 12:34am Feb 8, 2012 permalink | flag
I just love it ….. well i don’t have any doubt about your articles… your articles are awesome… Honestly you are simply the best.Thanks for sharing this with us
Azelex Cream 4:52am Feb 8, 2012 permalink | flag
Sounds interesting. Thanks for info .I like You Now!
purple lycra 12:07am Mar 1, 2012 permalink | flag
Hi,I have been reading this blog for some time now but never bothered to comment until today. Wanted to let you know that I am a fan and enjoy your work.Thanks.
sexy panties 12:07am Mar 1, 2012 permalink | flag
Very useful for me…I’m looking for some idea to redesign our logo.Thanks
round bang 12:08am Mar 1, 2012 permalink | flag
Very happy to see your article, I very much to like and agree with your point of view.
Bobby Clarke jersey 8:41pm Apr 8, 2012 permalink | flag
Louboutin Shoes,Christian Louboutin Shoes,Louboutin Shoes Outlet,Louboutin Shoes 2012,Christian Louboutin Outlet
"the article is composed by seoersong 20120417"
http://www.louboutinshoesoutlet2012.com/
Louboutin Shoes 5:39am Apr 17, 2012 permalink | flag
For example, nearly every app that I write reads to or writes from a database. To speed up the connection process, I've written a database class that I simply include in new projects, allowing me to easily open the connection and just keep on coding.
Nike NFL Jersey 2:13am Apr 18, 2012 permalink | flag
Good post!As i was passing by here and i read your post.
Griffey Shoes 7:20am Apr 24, 2012 permalink | flag
I like this post very much. Your writing style is very good. I want to share this information with my friends I hope the will also like it.
wholesale sunglasses 12:31am Apr 27, 2012 permalink | flag
I like this...
Buy Rogaine 4:04am Apr 27, 2012 permalink | flag
This is a really well written article. I will make sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return.
Xbox 360 Repair Guides 4:44am May 4, 2012 permalink | flag
Your article is nice , I read your article to learn a lot and hope to see your next article, look forward to your masterpiece,
cheap new era hats 2:08am May 7, 2012 permalink | flag
I'm very happy to read this. This is the type of info that needs to be given and not the accidental misinformation that's at the other blogs. Appreciate your sharing this best doc.
seo lexington ky 10:54pm May 7, 2012 permalink | flag
Excellent article, it is very usrful. I like it.
Monster Energy Hats 12:20am May 9, 2012 permalink | flag
zhen shi yin wo yong xin ,suo yi cai you cheng xiao
hollister outlet 11:52pm May 9, 2012 permalink | flag
I have found this article very exciting. Do you have any others on this topic? I am also sending it to my friend to enjoy your writing style. Thanks
things to do chapel hill 5:10am May 15, 2012 permalink | flag
Join In.
Have something to say? By all means, speak up!
But first, a few rules:
Happy commenting!