How to detect and prevent including from anothers?
My database (of a phpBB version 3 forum) was bogus data / garbage. I am using shared hosting with many people. I read apache log file and saw a man (script kiddie) who had an account on the same server hosting with me, included my config.php and inserted random text overwrite my topics, my users,... so that the forum was not able working correctly.
I used Zend Guard to encrypt the config.php but he still included successfully. My hosting provider said that they cannot config to prevent "local-hack" 100% because server have PHP4 and PHP5 concurrent (many customers remain to run PHP4 script).
Could I have some lines of codes in config.php to detect and prevent including to get variables value? I can include my config.php certainly.
One way, and I'm sure there's better, but create a random string or hash, and;
// in config.php define('12618922d9beec178c306b184c1810ac', TRUE);
// in files that include config.php if (! defined('12618922d9beec178c306b184c1810ac')) die ('AAAaaaaAAUUURRrrrrgggHHHh!');
This will only work if the only way he has access to the file is via include or require. If your host permits him to run a file_get_contents() or file() on your data, I would switch hosts, ASAP. Hell, I'd probably switch anyways if they're letting this guy run amuck.
The Following User Says Thank You to delayedinsanity For This Useful Post: