include() - security and others

root/index.php {
@require('./includes/config.php');
}

root/includes/index.html {
empty! or with header redirect to the main site
}
root/includes/.htaccess {
call passwd to protect entry to this directory (apache)
}
root/includes/config.php {
settings for the database type, name, username,userpass and other global variables (like vbulletin has them is a nice example)
}

Could you please repeat that in a way a beginner could understand.
Thanks

You can't echo out a variable from a file which is being included from a different server. This would, as you already stated, open up a ton of security risks.
Only the content which is being sent to the browser from that page will be included and accessible, nothing else.

lol
i thought i did.

root/ is the root directory
and root/includes/ is the includes directory in the root directory.

index.php can be any file that you want.
start it with <?php and and it with ?> both on a new line,
between those tags you can do that require line to include the data from the config file. Since you don't want to show any content of the .php files without an established mysql or password .. require it, instead of including it.

the includes directory can you password protect with apache by using .htaccess and .htpasswd.
the script can still access it, but when someone types in yoursite.com/includes/ they are prompted for a user/pass combination which they ofcourse don't have. So they can't access the config.php file.

In case they have, add a empty index.html file in the includes directory, so they can't see anything.

The config.php file can hold the variables like

$username="somebody";
$password="secret";
$dbusername="your_dbase_username";
$dbpassword="your_dbase_password";
$dbname="your_db";
$dbhost="your_db_host"; // most times this is just localhost

and other stuff.

Now in index.php you can make stuff like

if (($inputfield_value_for_username == $username) && ($inputfield_value_for_password == $password))
{
print "Welcome $username";
// your code here like
// query to make database connection and pull data from database and display the results to this user
} else {
print "Invalid username!";
exit;
}

From the manual:

If the target server interprets the target file as PHP code, variables may be passed to the included file using an URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

Variables can be passed to the included file, but the included file's variables can't be called.

The way you are showing it the file which is included is in a sub dir to the file which calls the include.
Almost every page on my site needs to use this file, and is is not in the sub dir of any of them.
File to be included is in users_root_dir/include/config.php
File which calls the include is in users_root_dir/contact/index.php

Thanks

$current == $whereiamnow php varriable, forgot by head
You can then do a chdir(go here);
require the file
chdir($current);

Actually that would be useless if the "attacker" was on the same server. If that's not the case, you have nothing to worry about - if you "include" a file through HTTP you're simply getting its output, nothing more. You don't even have to protect the containing folder.

However if the attack was to come from within your server, it's a bit more complicated. Anyone can fpassthru() the configuration file and have the information available. You can encrypt config.php using Zend Encoder or PHP-Encoder, but it wouldn't help since he could just include it and print_r($GLOBLAS) to see exactly what's defined in the file. The only method that is probably foolproof, is to not use any global configuration files and simply open and close the database connection in one file, and don't forget to unset() the variables which contain the sensitive information. That way there's no way anyone could take advantage of an open connection to the database or get your login information. However this totally defeats the purpose of require() and it's definitely not acceptable when working on a mulit-file project.

This can all be avoided if hosts set up user permissions correctly on their servers, but unfortunately most don't so this is a very large problem.

P.S.
I think you're looking for getcwd().

I don't understand what you mean by that

Chen,
if you are a part of a hosting company where other users on the same virtual server have the right to even go out of their home directory, you should not consider changing to a new hosting provider, but you should immediatly cancel your account and go some place else.

A user is a user, and not a user with rights to go snooping around the system.

If they can, they at least shouldn't have the rights to enter other users directories and ls their files.

Ofcourse they shouldn't have the rights to include the files.

Goto php.net and learn php then.
If you don't know the basics, you shouldn't try to make something like this. Sorry. I am not going to copy/paste everything from the help files for you.

Chen, adding index.html and .htaccess/.htpasswd is just an extra security layer, and it is easy to add and harder to crack. Adding extra security is a smart thing to do. It is also not required to put the config.php file in another directory, because you are not telling your users which file it is using to hold the data (it is smarter to put it in a sub dir, where they can't access it, because this way if they guess the filename right, they can't access it; but it is not required either)

getcwd() would be the one.

It is not that I don't understand PHP, but that I don't understand what you are meaning and the way you explain it. I have asked for harder help than this before and been able to understand what the person was saying with no more replys.

If you know PHP then you know what I mean with making a .php file and putting files in a sub dir and stuff. I am not going to write all the code for you so you can try and then say, yeah it works! and thank you, i understand it now. This is all the help I can give. I explained it twice, and you didn't understand both situations. Sorry.

Got it now

I undetand you now!
The only stupid thing about that, is that the directory you would have to enter is always specific to the server

ie. /home/sites/benoni/www/public_html/

what is there to say I will have benoni on another server?

Which is easier: Changing the password in all files or changing the location of the password file in all files?