Prevent cross-domain include in PHP

Question

I imagine this question has already been asked but I can't find it, so I am sorry for the eventual duplicate. I have only found the opposite.

How do I prevent cross domain includes in PHP? Is a preg_match of the $_SERVER["HTTP_REFERER"] enough? My guess is no. What is the option, if any, on the php.ini to prevent this?

Thank you.

Hanky Panky · Accepted Answer

This is already impossible, hence you do not need to worry about it. PHP Source code includes are not processed over HTTP. They can be only included if on same server. No one can include your PHP source file in their website by just using its url. Both the scripts have to be on same server

If a PHP source file is included over HTTP, the including party will only see the output generated by the PHP file, not its source code.

In fact, even you yourself cannot include() your PHP source file using HTTP even if both the files are on same server. Anything that goes through HTTP with a properly working PHP Enabled webserver will not send the source code out to client.

Example:

Let's say you have a website example.com and you are on index.php and you have to include sources.php which resides in the same directory. If you try

include("sources.php");  //or "/path/to/your/root/sources.php"

This will work as expected and source code will be included. But if you try

include("http://www.example.com/sources.php");

This will NOT include any source code from sources.php into your index.php, even though you own both files, they are on same server. This is because when its served via HTTP, the code has already been processed and a properly configured php enabled web server will not send out php source code.

Prevent cross-domain include in PHP

Answers (2)

Related Questions