Page 1 of 1

PHP can include with no restrictions?

PostPosted: 07. June 2010 17:54
by Radzio
I have set my Apache to deny any access to root directory but PHP script are still allowed to include/require files from any dir.
Should something be changed in PHP settings?

Re: PHP can include with no restrictions?

PostPosted: 07. June 2010 20:40
by Nobbie
Radzio wrote:I have set my Apache to deny any access to root directory but PHP script are still allowed to include/require files from any dir.


Yes of course, a HTTP request and a simple file-open are very very different things.

Radzio wrote:Should something be changed in PHP settings?


Read about "safe_mode" and "open_basedir" restriction if it is satisfactory to your needs.

Re: PHP can include with no restrictions?

PostPosted: 08. June 2010 06:00
by JonB
Thanks Nobbie for making a good point...

Its worth remembering 'where' the PHP is running and 'whom' it thinks 'it' is on a Windows system running Apache. Apache is calling DLL's to do the work. Thus httpd.exe is/controls the user context for PHP. :shock: This is one of the reasons cross-domain scripting is such a big deal.

The good news is 'normally' YOU get to control what PHP code resides on your server.

Holy Moly Batcoder!
8)

Re: PHP can include with no restrictions?

PostPosted: 08. June 2010 08:24
by Radzio
Nobbie wrote:Read about "safe_mode" and "open_basedir" restriction if it is satisfactory to your needs.

Thanks, that really helped. "open_basedir" is what I needed.

I'm learning to understand this better. Till now I thought that restricting access in httpd.conf would affect anything that runs with Apache.

Nobbie wrote:Yes of course, a HTTP request and a simple file-open are very very different things.

So one last question: do all directory access restrictions I made in httpd.conf apply only to HTTP requests?

Re: PHP can include with no restrictions?

PostPosted: 08. June 2010 09:19
by Nobbie
Radzio wrote:So one last question: do all directory access restrictions I made in httpd.conf apply only to HTTP requests?


Yes.