ITT #3: Protecting Non-Public Files

Add an extra layer of security with .htaccess

Prevent Direct Access to Included Files

If you've ever built a web app, you're probably familiar with the idea of breaking your code up into smaller pieces, then including those files using include_once or require_once. This practice can speed up your application, help you organize your code better, and increase the portability of code in future projects. Another benefit that file inclusion offers that's often overlooked, however, is enhanced security.

For example, nearly every app that I write reads to or writes from a database. To speed up the connection process, I've written a database class that I simply include in new projects, allowing me to easily open the connection and just keep on coding.

The information used in the included database file is sensitive data that could be troublesome in the wrong hands (i.e. the username and password for my database), and while separating it from the publicly displayed index.php is a step in the right direction, it's not enough to keep a mischievous user from getting to the information.

The Easy Way

If you're lucky enough to have access outside of your root folder on your server, you can simply store your include files outside of the root folder, preventing direct access from the Internet at large.

File Protection for the Rest of Us

If you're like me, however, you're on a shared hosting plan without access to folders above document root. Bummer, right?

Wrong! Hope's not lost for those of us with limited server access; we can still prevent access to our files with .htaccess (provided you're on an Apache server, of course).

Using only four lines, we can make it significantly more difficult for a malicious user to get access to the sensitive information in our included files (assuming you've saved your include files with the extension *.inc):

<Files ~ ".inc$">
    Order allow,deny
    Deny from all
</Files>

Additional Protection

As an additional precaution, you may want to set your server to parse PHP in *.inc files, just in case someone manages to navigate to an include file directly (i.e. http://example.org/dbconnect.inc). By default, servers generally serve unknown file extensions to a browser as content-type "text/plain"; this means your code would be displayed as is, with all of your variables in plain sight.

This, for obvious reasons, is undesirable. However, it's pretty simple to fix this issue and tell your server to handle *.inc files as PHP, therefore no longer showing the contents as plain text.

To set your server to process *.inc files as PHP, you'll need to add an AddType handler:

AddType application/x-httpd-php .inc

Talk Nerdy to Me

How do you protect sensitive information on your sites? Let me know in the comments!

As always, if you've got any ideas for future Instant Tip Tuesday installments, post them here, email me, or hit me up on Twitter!

Posted Feb 17, 2009 by Jason Lengstorf.
This entry is filed under instant tip tuesday, .htaccess, and security.

Want more content like this? Subscribe for FREE!

Comments for This Entry

GravatarMike Smith08:14PM on February 17, 2009

Nice post. I've never built my own script, but I am diving into some php and other codes trying to learn how and this will come in handy. Thanks for posting it. It's definitely bookmarked :)

Oh, and your site design is awesome :)

Post a Comment

Want to show your face? Get a gravatar!

ALLOWED TAGS: <tt><strong><em>