File access

Started by coolbrain, Jul 10, 2022, 09:36 AM

Previous topic - Next topic

coolbrainTopic starter

Working with one site and thought about security.
I use a regular file like config.php to store data for database access and so on. Can attackers access the contents of this file? Is it necessary to hide it somewhere?


Scripts will also gain access through a password. you can move the necessary files to the root directory and work with them like this ..
It is possible do it through define - in one file (which connects). You declare some kind of constant, and in another connected file you check - if this constant is not declared, then you redirect to some page.

F.e. in index.php
define ('ENGINE', '1');

in config.php
if (!defined('ENGINE'))
    The following users thanked this post: Sevad


To protect the config.php file, first of all, you need to generate new secret keys, which are necessary to protect the site as a whole. By default, this file is stored in the root directory, but you can move it to another location known only to you. In addition, in the directory where config.php is located, you can place the .htaccess file, which contains a special code:
<files wp-config.php>
    order allow,deny
    deny from all


The easiest way for the standard situation "PHP application is running on an Apache web server, which you can fully or not fully control" is to put your include in a directory and deny access to this directory in the file .htaccess. To save people from having to Google, if you're using Apache, put this in a file called ".htaccess" in a directory you don't want to have access to.:

Deny from all.

 If you really have full control over web server (it's more common these days even for small applications), the best approach is to put the files you want to protect outside the directory from which your server is served. So, if your application is located in /srv/YourApp/, set the server to serve files from /srv/YourApp/app/ and put include in /srv/YourApp/includes, so that there is no URL that can access them.

Answer 2
Add this to the page you only want it to be enabled.:


if(!defined('MyConst')) {

   die('Direct access denied');



then on the pages that include it, add:


define('MyConst', TRUE);


Answer 3
1. Checking the number of included files
if( count(get_included_files()) ==((version_compare(PHP_VERSION, '7.0.0', '>='))?1:0) ) {

    exit('Restricted access');


Logic: PHP shuts down if the minimum number of inclusions is not met. Note that prior to PHP5, the base page was not considered to be included.

2: Defining and verifying a global constant
// On the base page (direct access):

define('_DEFVAR', 1);

// In included files (where direct access is prohibited):

defined('_DEFVAR') or exit('Restricted access');

Logic: If the constant is not defined, then execution has not started from the base page, and PHP will stop executing.

Note that to ensure portability between updates and future changes, creating a modular authentication method will significantly reduce coding overhead, since changes will not need to be hard-coded for each individual file.

// Put the code in a separate file, for instance, 'checkdefined.php ':

defined('_DEFVAR') or exit('Restricted access');

// Replace the same code in the included files with:


Thus, you can add additional code checkdefined.php for logging and analytical purposes, as well as for generating relevant responses.

3: Authorization of the remote address
// Call include from the base page (direct access):

$includeData = file_get_contents("");

// In included files (where direct access is prohibited):

$src = $_SERVER['REMOTE_ADDR']; // Getting the source address

$auth = authoriseIP($src); // Authorization algorithm

if( !$auth ) exit('Restricted access');

The disadvantage of this method is isolated execution, unless the session token is provided with an internal request. Confirm with a return address in the case of a single server configuration or a whitelist of addresses for a multi-server or web server infrastructure with load balancing.

4: Token Authorization
As in the previous method, you can use GET or POST to transfer the authorization token to the included file:

if($key!="serv97602"){header("Location: ".$dart);exit();}

A very confusing method, but perhaps at the same time the safest and most versatile when used correctly.

5: Configuration of a specific server
Most servers allow you to assign permissions to individual files or directories. You can put all your inclusions in such restricted directories and configure web server to ban them.

For instance, in APACHE, the configuration is stored in a file .htaccess.

However, please note that I do not recommend configurations for specific servers, because they do not transfer well to different  servers. In cases like content management systems where the ban algorithm is complex or the list of banned directories is quite large, this can only make reconfiguration sessions quite confusing.

6. The placement includes a secure directory OUTSIDE the root of the site.
Least preferred due to access restrictions in web server environments, but a fairly powerful method – if you have access to the file system.

//Your secure directory path based on web server file system




The user cannot request any file outside of the htdocs folder, as the links will go beyond the address system of the website.

The php server accesses the file system initially and, therefore, can access files on the computer in the same way as a regular program with the necessary privileges can do.

By placing the included files in this directory, you can guarantee that the php web server will get access to them, while hot links are prohibited for the user.

Even if the configuration of access to the file system of the server has not been performed properly, this method will prevent accidental access to these files.