Question posted in
Some documentation to get you started can be found here.

How can I make the php files inside an includes/ folder readable by the website but not downloadable by file download managers? – Apache

I have a small PHP/MySQL project I would like to upload to our subdomain. The project has an includes/ folder that contains some PHP files that have information about the database name, username, password and login function.

How can I make the files of this directory readable by the website (so when someone comes to the website, they can log in and do other stuff) but not accessible to the public? I can use a file downloader to download the content of the folder which is something I want to block.

Is the solution using a .htaccess file?

EDIT:

Thank you all for the answer. After some reading, I switched my folder structure to be like this:

includes/
  - initiate.php
  - login.inc.php
  - functions.inc.php
public/
  - index.php
  - login.php
templates/
  - header.php
  - footer.php

I’m now having issues setting up relative and absolute path constants though

The initiate.php has my constant variables:

define('INITIATE_FOLDER', dirname(__FILE__));
define('ROOT_FOLDER', dirname(INITIATE_FOLDER));
define('TEMPLATES', ROOT_FOLDER . '/templates');
define('INCLUDES', ROOT_FOLDER . '/includes');
define('WWW_ROOT', ROOT_FOLDER . '/public');

When I echo out the constants, I get the followings:

echo INITIATE_FOLDER; C:wamp64wwwprojectincludes
echo ROOT_FOLDER; C:wamp64wwwproject
echo INCLUDES; C:wamp64wwwproject/includes
echo TEMPLATES; C:wamp64wwwproject/templates
echo WWW_ROOT; C:wamp64wwwproject/public

Can you please tell me what I’m doing wrong and how to correct it?

Tags:

2

Answers


  1. 0

    As others have said, all content between <?php ?> tags will be removed from the page before it’s served by your server, so long as your file ends in .php.

    If you are trying to keep a non-php file from being served, your best bet is to put your includes folder where it is not publicly available.

    Generally, when you FTP into your server, the layout is something like this:

    www/
public_html/
... etc, other folders

    The files you want to make publicly available should go inside of the public_html/www folder (www is usually just a shortcut/symlink for public_html).

    You includes directory should go next to the public_html folder, rather than within it.

    www/
public_html/
includes/
... etc, other folders

    Then, in the files where you were including those files, include them from the new location.

    <?php
require_once "includes/databaseSettings.php";

    becomes

    <?php
require_once "../includes/databaseSettings.php";

    Now your files are outside of the directory being served by your HTTP server, but still available to be included in the rest of your code.

    This has usually been my experience, but can vary from vendor to vendor. If, when you FTP into your server, you don’t see a www or public_html folder, try navigating up one directory.

    Login or Signup to reply.
  2. 0

    If your server setup is correct, no PHP file will get downlaoded, only executed.

    Basically, you have PHP extension installed nad if the file starts with <?php then it will be executable.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search