Many a hacker has learned of weaknesses by downloading include files or data that are stored alongside HTML and PHP files in the web server’s document root. To prevent this from happening to you, all you need to do is store code libraries and data outside the server’s document root.

For example, if the document root is /home/httpd/html, everything below that directory can be downloaded through a URL. It is a simple matter to put your library code, configuration files, log files, and other data outside that directory (e.g., in /usr/local/lib/myapp). This doesn’t prevent other users on the web server from accessing those files (see Section 12.4 earlier in this chapter), but it does prevent the files from being downloaded by remote users.

If you must store these auxiliary files in your document root, you can configure the web server to deny requests for those files. For example, this tells Apache to deny requests for any file with a .inc extension, a common extension for PHP include files:

<Files ~ "\.inc$">
  Order allow,deny
  Deny from all
</Files>

If you store code libraries in a different directory from the PHP pages that use them, you’ll need to tell PHP where the libraries are. Either give a path to the code in each include( ) or require( ), or change include_path in php.ini:

include_path = ".:/usr/local/php:/usr/local/lib/myapp";