Hello, I'm new to PHP and trying to figure out how to protect PHP include files. I've searched google and got one solution which needs to edit php config to make those files with certain extensions inaccessible. But is there a way to protect these include files without editing php configuration? like making a function so the includes can only be called by php scripts. Any information would be greatly appreciated.

put a .php extension to your include files.

using cerj's method is enough... I just want to babble a little :p a few month ago, I'm in a shared hosting company which I can put something like: include("../../../other_username_here/www/includes/connect.php"); echo get_defined_vars(); then all variables (including mysql host, username and password) will be printed on screen :D but I'm sure right now (almost) all shared hosting company knows how to deal with this... if we talk about function, in mambo cms, almost all included files have something similar like: defined ("_VALID_MOS") or die ("direct access is not allowed"); so if we want to include that file, we need to include it in a file which has this line before the include function called: define ("_VALID_MOS", TRUE); - end of babble - ^o^ are you in Asia? do you watch Animax Asia? Please Vote

How about to include this at the start of the pages: --8<------ $username='yourusername'; if (strpos($username,getcwd())===false) die ('no direct access'); --8<------ Maybe some bugs in code, just a quick manually typed snippet...