Include file security.

[rdivilbiss]

I have read so much code today my brain has fried.

Lets say I have a file, myGlobals.php that lives in the includes directory of my site.

If someone guesses the name of that file and requests it directly in their browser, that page will be sent via the PHP script CGI and I have no code in that page which would generate output.

Now...(from the PHP manual)

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix L, List of Supported Protocols/Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

So if my shared ISP has URL fopen wrappers enabled, a malicious user could create a page which includes my "myGlobals.php" page and have access to the variables declared on that page or would my page still be sent via the PHP script CGI?

[CrYpTiC_MauleR]

No they will not have access to those variables. If they included your PHP file into their site all they will be including is the PHP's output from that file. The actual PHP code will be hidden so they can not use your variables. Best thing to do either way is put your includes in a directory outside your webroot. You can still include them but no one can access it in the browser because will not be in the web root anymore.