Hold on... This isn't EnnuiDesign.com — What Gives?
It's been a long time coming, but Jason Lengstorf, formerly of Ennui Design, has expanded his team to include Drew Douglass, Rob MacKay, Henry Moran, and Tom Sturge.
It didn't feel right to keep the same name, so we decided to continue on as Copter Labs. You can expect the same great content under this new name!
Protect Non-Public Files with .htaccess
If you've ever built a web app, you're probably familiar with the idea of breaking your code up into smaller pieces, then including those files using include_once or require_once. This practice can speed up your application, help you organize your code better, and increase the portability of code in future projects. Another benefit that file inclusion offers that's often overlooked, however, is enhanced security.
For example, nearly every app that I write reads to or writes from a database. To speed up the connection process, I've written a database class that I simply include in new projects, allowing me to easily open the connection and just keep on coding.
The information used in the included database file is sensitive data that could be troublesome in the wrong hands (i.e. the username and password for my database), and while separating it from the publicly displayed index.php is a step in the right direction, it's not enough to keep a mischievous user from getting to the information.
The Easy Way
If you're lucky enough to have access outside of your root folder on your server, you can simply store your include files outside of the root folder, preventing direct access from the Internet at large.
File Protection for the Rest of Us
If you're like me, however, you're on a shared hosting plan without access to folders above document root. Bummer, right?
Wrong! Hope's not lost for those of us with limited server access; we can still prevent access to our files with .htaccess (provided you're on an Apache server, of course).
Using only four lines, we can make it significantly more difficult for a malicious user to get access to the sensitive information in our included files (assuming you've saved your include files with the extension *.inc):
<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>
Additional Protection
As an additional precaution, you may want to set your server to parse PHP in *.inc files, just in case someone manages to navigate to an include file directly (i.e. http://example.org/dbconnect.inc). By default, servers generally serve unknown file extensions to a browser as content-type "text/plain"; this means your code would be displayed as is, with all of your variables in plain sight.
This, for obvious reasons, is undesirable. However, it's pretty simple to fix this issue and tell your server to handle *.inc files as PHP, therefore no longer showing the contents as plain text.
To set your server to process *.inc files as PHP, you'll need to add an AddType handler:
AddType application/x-httpd-php .inc
Talk Nerdy to Me
How do you protect sensitive information on your sites? Let me know in the comments!
Jason Lengstorf
Jason Lengstorf a turbogeek hailing from Portland, Oregon. He designs and develops websites using PHP, MySQL, JavaScript (jQuery), CSS, and HTML. He's written two books (PHP for Absolute Beginners [2009 Apress] and Pro PHP and jQuery [2010 Apress]), and he's written articles on development and design for Nettuts, CSS Tricks, and Smashing Magazine, among others.
Comments.
Nice post. I've never built my own script, but I am diving into some php and other codes trying to learn how and this will come in handy. Thanks for posting it. It's definitely bookmarked :)
Oh, and your site design is awesome :)
Mike Smith 7:14pm Feb 17, 2009 permalink | flag
Thanks man,really easy
Thato obuseng 6:21am Aug 4, 2010 permalink | flag
The greatest gifts in life are not purchased, but acquired through hard work and determination. Find the star that twinkles in your heart?for you alone are capable of making your brightest dreams come true. Give your hopes everything you've got and you will catch the star that holds your destiny.
Air force nike pas cher 7:25pm Oct 18, 2011 permalink | flag
If you're lucky enough to have access outside of your root folder on your server, you can simply store your include files outside of the root folder, preventing direct access from the Internet at large.
cheap nfl jerseys 2:48am Oct 19, 2011 permalink | flag
Using only four lines, we can make it significantly more difficult for a malicious user to get access to the sensitive information in our included files (assuming you've saved your include files with the extension *.inc):
cheap jerseys from jerseys 3:16am Oct 29, 2011 permalink | flag
Your blog is very informative.This is obviously one great post.i keep on reading articles from here.
thanks for sharing..
Claude Giroux Jersey 8:55pm Oct 30, 2011 permalink | flag
We was looking for something completely different, but found your web page! And have to say thanks.
Daniel Carcillo Jersey 8:55pm Oct 30, 2011 permalink | flag
WKLOU44G01YFMK7OMC
ugg boots aspires to make cozy covers for the very cold feet
ugg boots clearance 8:31pm Oct 31, 2011 permalink | flag
Nice to be visiting your blog again Herve Leger, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article Herve Leger Dresses. Thanks, great share.
herve leger 9:01pm Nov 27, 2011 permalink | flag
Join In.
Have something to say? By all means, speak up!
But first, a few rules:
Happy commenting!