0

I want to include file /httpdoc/a.php but this file including files /httpdoc/b/c.php and /http/d/e.php. How to allow to include only c.php? I want to allow including only from /httpdoc/b. 

File: /httpdoc/a.php:
<php
include '/httpdoc/b/c.php'; // should be included
include '/httpdoc/d/e.php'; // shouldn't be included

There is any way to do this from script in PHP and only for this script? I want to allow including only from selected directory dynamically. Other scripts should be able to include all files so changes should be local.

catgiggle
  • 43
  • 5
  • 2
    Why is `include '/httpdoc/d/e.php';` being included if you don't want it included? Can you explain your problem a bit better? – imtheman Jan 30 '15 at 16:47
  • Becouse I am not provaiding this file and I want secure my script against including imortant files. – catgiggle Jan 30 '15 at 18:08

2 Answers2

0

Doesn't make too much sense from my point of view, because scripts will throw errors or exceptions if they cannot include what they desire. If it's necessary anyway, you could solve it by removing file or folder permissions for the user running your PHP.

jossif
  • 399
  • 2
  • 10
0

Login as priviliged user. Then change the permissions of '/httpdoc/d' in a way that PHP cant access it anymore. The commandline for that could simply look like this:

chmod 700 -R /httpdoc/d

With that, only the owner of this folder can use it and all of its subfiles and subfolders. (If the user under wich PHP is running - typically 'www-data' or 'apache' - is the owner of this folder, you have to change the folder owner)

When you have done this, turn off the error reporting. For example:

@include "/httpdoc/a.php"

(There are other ways for doing so as well. E.g. error_reporting())

Regarding your comment:

There is any way to do this from script in PHP and only for this script? I want to allow including only from selected directory dynamically. Other scripts should be able to include all files so changes should be local.

If u have files like "/httpdoc/a.php" u dont 100% trust in, do the following. Put them in a separate directory. You can put all other files except your secret ones (/http/d/e.php) in there as well.

Configure that directory as described here:

PHP - a different open_basedir per each virtual host

Community
  • 1
  • 1
MarkusAtCvlabDotDe
  • 1,032
  • 5
  • 12
  • There is any way to do this from script in PHP and only for this script? I want to allow including only from selected directory dynamically. Other scripts should be able to include all files so changes should be local. – catgiggle Jan 30 '15 at 18:04
  • Good overview and short information about the "open-basedir" - directive: http://www.madirish.net/199 – MarkusAtCvlabDotDe Jan 30 '15 at 19:07