Server side includes outside web root

[jrbarnett]

Hi all,

Does anybody know if it is possible to use server side includes on a file outside the web root directory (eg C:\Inetpub\

http://wwwroot

on IIS)?

I need to include a configuration file with global parameters, which I don't really want end users to be able to look at directly from their browser (eg database connection information), and without the hassle of securing just this one file via IIS security.

I have tried using &quot;<!-- #include file=&quot;D:\website\config.txt&quot; --> but this only results in an SSI file not found error when I access the page.

Any suggestions would be most welcome,

John

 

[link9]

Why not just name it:

akandpcn.inc

or something really cryptic like that -- your users won't see the SSI, and the chances of them getting a hit on a cryptic file name are pretty slim.

Just disallow directory browsing, and you should be set.


Paul Prewett

 

[dilettante]

Seems to me some people name their includes .ASP to get around this. Can't remember if this is legit though.
MS recommmends you put includes into another folder, and take away read permissions on this folder.

Including Files

http://msdn.microsoft.com/library/en-us/iisref/html/psdk/asp/iiwainc.asp

 

[vasah20]

dilettante -
ending all your files in .asp has it's drawbacks, though. If your site gets a lot of hits, and you end your includes in .asp, then you introduce a lot of unnecessary processing on the server-side (since it needs to load the asp.dll into memory to process it). OTOH, if you end your files in .asp, then it's impossible for the casual viewer to type the filename into the URL bar and see the contents of the ASP code.

Personally - I would create an include folder. Remove Read permissions from the folder, and you should be fine. All the includes from the folder will be relatively safe, since no one can read the folder, therefore they cannot download from it.

hth
leo