Some files are login protected in PHP application and some are include files that need not run directly and can hold some important data not for direct public view.
For each login-protected page you will write login check script at top of the page.
<?php If not login then Redirect to login page ?>
Now, what to do with included file we include using 'include', 'require', 'include_once' or 'require_once', which are very important and are not for visitors for security reasons.
<?php include 'important.php'; ?>
important.php file can be accessed directly by its URL on web server.
For this you can do:
1. Save all important/included files outside of web root. This way this file can only be included and cannot be accessed by any URL.
2. Use Apache configuration file (conf/httpd)
<Files ~ ".inc.php|.inc$"> Order allow,deny Deny from all </Files>
Now when user access file with extension "inc" or "inc.php", user/visitor will get these message:
You don't have permission to access /phptest.inc on this server.
Apache/2.0.50 (...) Server at ..... Port __
Customized error page made for this situation.
3. Apart from above methods, you can also write small codes within included/important file itself that stops file execution.