prevent direct access to a php include


I have a php script <strong>PayPal eStores/dl_paycart</strong> but it has <a href="http://secunia.com/advisories/33036/" rel="nofollow">PayPal eStores "settings.php" Security Bypass Vulnerability</a>

I would like to know if I can prevent direct access to a php include file.

Would this help?

defined( '_paycart' ) or die( 'Access to this directory is not permitted' );

Thank you


I would STRONGLY recommend finding some new script. Any sort of blocking is just sticking a finger in the dam; it isn't a permanent solution and eventually it's going to break.

If you really want to use it, check out htaccess files, particularly "Order Allow,Deny" and "Deny from All"


The problem is that if someone is able to use "include" and read the code contents, variables, and the like, that means that they are already operating on the same server and, to be a bit crude, you're boned if they try to screw with you.

On the other hand, if you're looking to prevent outside access to the file from a remote server, then the include call can only retrieve the values which would be displayed to any external site (and if the question is, "Can I prevent external sites from even loading this file remotely", the answer is "through server configurations in http.conf and .htaccess files" ).

The long and the short, however, is that this is not something which can really be fixed with PHP, this is a server security issue.



The fact that the script has a .php extension offers some protection - any http or https call for that file will go through the web server which is going to execute the php before serving the request.

</li> <li>

I would recommend moving the script to a directory under your public web directory and putting .htaccess file in that directory that either blocks all requests, or requires a password to access it. Then include the script when needed by scripts in your public directory. See <a href="http://httpd.apache.org/docs/2.2/howto/htaccess.html" rel="nofollow">Apache's .htaccess Tutorial</a>

</li> </ol>


Probably the most secure way is something like this

$allowed_files = array("/paths/", "/that/", "/are/", "/allowed/"); if(!in_array($_SERVER['PHP_SELF'], $allowed_files)) { die("Not Allowed"); }

Fill the array with Files that you would like to have access. (You might have to access PHP self in each page you want and copy and paste it in). This will check to make sure that the file being executed is one of the allowed pages. If it isn't the script will die.

I believe $_SERVER might be able to be changed, but probably won't be. This file will still be able to be gotten using fopen or file_get_contents, and if someone reads it, they will know what to change.

But I would forewarn, it is not 'completely secure', because there isn't really a way to make something 'completely' secure.


  • Restric user access to table using Sql Server 2008
  • How to load shared libraries symbols for remote source level debugging with gdb and gdbserver?
  • How to limit the access to a Controller or a folder in MVC?
  • Update web.config file in asp.net
  • Using bitbake is it possible to have a different do_install for a package based on the target image?
  • Can I use worksheet_change for a specific column only?
  • PHP in userdir not working
  • WP7 difficulties binding data to listbox itemssource - won't refresh
  • How to populate html table with info from list in django
  • Ruby 1.8.6 Array#uniq not removing duplicate hashes
  • Prevent page break in text block with iText, XMLWorker
  • Shouldn't else be indented in the below code
  • Configure Spring's MappingJacksonHttpMessageConverter
  • AppleScript : find open tab in safari by name and open it
  • CakePHP ACL tutorial initDB function warnings
  • WPF - CanExecute dosn't fire when raising Commands from a UserControl
  • Excel - Autoshape get it's name from cell (value)
  • Check if a string to interpolate provides expected placeholders
  • Does CUDA 5 support STL or THRUST inside the device code?
  • How to extract text from Word files using C#?
  • Join two tables and save into third-sql
  • How to model a transition system with SPIN
  • When should I choose bucket sort over other sorting algorithms?
  • ORA-29908: missing primary invocation for ancillary operator
  • How do you troubleshoot character encoding problems?
  • RestKit - RKRequestDelegate does not exist
  • Traverse Array and Display in markup
  • InvalidAuthenticityToken between subdomains when logging in with Rails app
  • SQL merge duplicate rows and join values that are different
  • Acquiring multiple attributes from .xml file in c#
  • Understanding cpu registers
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • LevelDB C iterator
  • How can I remove ASP.NET Designer.cs files?
  • Are Kotlin's Float, Int etc optimised to built-in types in the JVM? [duplicate]
  • Can't mass-assign protected attributes when import data from csv file
  • Does armcc optimizes non-volatile variables with -O0?
  • Converting MP3 duration time
  • Conditional In-Line CSS for IE and Others?
  • java string with new operator and a literal