protect php includes (with htaccess?)

Question

First of all, I\'m pretty sure a similar question will be on Stack Overflow, but I didn\'t really find it. Probably because I am using the wrong keywords. So don\'t shoot me

Answer 1

Ideally, your PHP includes should be in a folder that is not directly accessible to the web.

eg: say your web site is in /var/www/htdocs/, then you would put index.php in there, but the includes should be in a separate folder, outside the web-accessible area. In this example, you could have a folder alongside htdocs called something like /var/www/includes/, where the PHP includes would live.

This way they are completely protected from unwanted direct web access.

In addition, you should write your PHP code such that an include file only contains classes or functions. This means that if it is accessed somehow from the web, nothing will happen: PHP will load all the functions, but won't run any of them, so the user will just see a blank page.

If another page wants to include that file, it would need to to the include, and then also call the function(s) inside it; you shouldn't have an include that runs code immediately.

You should only write PHP code that runs immediately on the pages that are intended for direct user access, such as index.php.

Hope that helps.