Using includes in PHP to simplify life? Don't want your visitors to access them and receive errors or partial content? The solution is simple enough, though many people don't worry or don't consider it as a "threat".
There are a few reasons you wouldn't want someone to go through directories trying to access your include files. Whatever yours might be, there's an easy way to prevent it.
On your index file, you have it generate a variable.
<?php
$include_lock = "unlocked";
?> So we now have some code that generates a variable, '$include_lock' with the value 'unlocked'. Why are we doing this? Well, since you only want them to access the page through the index, we'll make a lock and key so that only going through the index file gives them the key.
With the code above, we need to now put something on the page that actually performs as the lock. It's simple enough, we'll just use a nice, clean if statement.
<?php
if ($include_lock != "unlocked") {
//Shut them down.
header("Location: 404.shtml");
OR
die("404 - File Not Found");
//You basically want it so that it would look like the typical 404 message from your site.
} else {
//your normal content goes here.
}
?> You'll want to take note that if you have 'register_globals' on, the user could simply add '?include_lock=unlocked' to the URL and gain access. To get around that, you could disable register_globals or use a session variable. If you go the session route, kill the variable after you do the include.