Skip to the content...

Welcome to the David Walsh Blog. I'm a MooTools, Dojo, jQuery, CSS, and PHP Web Developer located in Madison, Wisconsin, United States. Please contact me if I can make your experience on my website better.

Advanced .htaccess Security – Block Access to Include Files Using .htaccess

9 Responses »

When I build websites for clients and myself, I use numerous include files to make my website easy to maintain. These include files may:

  • be composed of pure HTML; no server-side programming involved
  • be PHP class files; used throughout the website
  • composed of both HTML and PHP
  • PHP code to produce a specific action; many times, AJAX scripts

Obviously, if a person were to get lucky and guess the path and file name of my include scripts, problems could result, especially if an AJAX script is not secured (but I wouldn't do that -- nor would you, right?). For example, take the following poorly coded bit of PHP that would get run when an AJAX call was made:

//inside file:   includes/ajax/delete_id.inc
$query = 'DELETE FROM my_table WHERE id = '.$_GET['id'];
mysql_query($query);

Imagine if the user changed the 'id' in the querystring to "' or 1" -- all data would be lost!

Even if my scripts are secure (meaning I use proper validation to make sure they've been called correctly), a user/hacker has no business calling an include file. Using .htaccess, we can prevent any attempt by a user to reach an include file:

<Files ~ "\.inc$">
	Order allow,deny
	Deny from all
</Files>

The above code tells the server to disallow any requests, by the user, for any file ending in ".inc". You can easily modify the above .htaccess for your own naming convention and folder structure.

Just another .htaccess tip to make your website more secure!

Discussion

  1. October 16, 2007 @ 8:25 pm

    Nice one, I’m going to add it the the ultimate htaccess guide at http://www.askapache.com/apache/apache-htaccess.html

  2. March 25, 2008 @ 10:04 am

    where in the .htaccess file do you place that code (the second block of code in your entry)?

  3. March 25, 2008 @ 5:26 pm

    @Charles: It shouldn’t matter where in your .htaccess file you place the above snippet.

  4. March 25, 2008 @ 6:08 pm

    nice work.
    Are you able to add multiple filenames/file paths to the tag?

  5. March 25, 2008 @ 6:19 pm

    @pfwd: I believe if you’re clever with regular expressions you should be able to.

  6. February 2, 2009 @ 4:08 am

    This is very cool. A similar trick I use a lot, and I believe WordPress uses as well, is to check to see if a php file is being accessed directly.

    <?php
    //this document is called file.php
    if (‘file.php’ == basename($_SERVER['SCRIPT_FILENAME']))
    die (‘Do not access this page directly.’);
    ?>

    (Please convert my _ to _ )

  7. specs
    May 15, 2009 @ 8:44 am

    I used this, but now my AJAX calls to .inc files (sends GET variables and then receives output from .inc file) aren’t working anymore…

    new Request.HTML({
    url: ‘http://www.blah.com/includes/consultant_ajax.inc?id=’+id+”,

    Isn’t there a way to define a “Don’t deny from server call” or something (if this makes sense)?

    I’m assuming the “deny from all” makes it fail even when a I make an AJAX call to the .inc file.

    Any thoughts?

  8. specs
    May 15, 2009 @ 8:45 am

    I used this, but now my AJAX calls to .inc files (sends GET variables and then receives output from .inc file) aren’t working anymore…

    new Request.HTML({url: ‘http://www.blah.com/includes/consultant_ajax.inc?id=’+id+”,…

    Isn’t there a way to define a “Don’t deny from server call” or something (if this makes sense)?

    I’m assuming the “deny from all” makes it fail even when a I make an AJAX call to the .inc file.

    Any thoughts?

  9. July 1, 2010 @ 6:51 am

    Wow!! That is really a cool trick… to block include files….

    Thanks.. :)

Be Heard!

Share your thoughts with fellow developers of all skill levels! I want to hear from you!

Name*:
Email*:
Website:  
Wrap your code with <code> tags, f00!