首先，我是pretty的肯定有类似的问题将是对堆栈溢出，但我没有真正找到它。可能是因为我使用了错误的关键字。所以，不要拍，因为那个我。

First of all, I'm pretty sure a similar question will be on Stack Overflow, but I didn't really find it. Probably because I am using the wrong keywords. So don't shoot me because of that.

什么我的问题主要是，我想包括PHP文件，但我只希望他们能够包括不为人们打开他们的浏览器。他们应该得到一个错误。

What my question basically is, I want to include php files, but I only want them to be included and not for people to be opened with their browser. They should get an error.

例如我有一个包括与其中包含我的连接到一个数据库的PHP文件目录（密码等危险吗？）。我希望能够把它列入，但我不希望人们能够直接访问的页面。

For example I have an includes directory with a php file which contains my connection to a DB (password etc.. dangerous?) . I want to be able to include it, but I don't want people to directly visit the page.

请问把一个密码就包括与htaccess的目录解决我的问题？首先，我认为不会，因为这将是奇怪的页面可以被列入为不访问它的用户。但它似乎工作，这如何来的呢？是否有其他更好的选择吗？什么是Web开发人员通常做什么？

Will putting a password on the includes directory with htaccess fix my problem? First I thought it wouldn't, because it would be weird that pages can be included for users that don't have access to it. But it seems to work, how does this come? Is there an other better option ? What do web developers usual do?

和也可以做类似的JavaScript文件的东西吗？我的猜测是，这将不会是这样，但我只是问。 JS文件包含AJAX调用某些页面，但我想我很高兴，如果我可以保护PHP页面的访问。

And also can I do something similar for javascript files? My guess is that this won't be the case, but I'm just asking. The js file contains ajax calls to certain pages, but I guess I'm happy if I can protect the php pages from visiting.

总之感谢提前：）

推荐答案

我想解释的部分如何协同工作将帮助清理的混乱。

I think explaining how the pieces work together will help clear up the confusion.

一个请求到来时（从用户的Web浏览器）。 Web服务器（在这个例子中，阿帕奇）接收这一点。首先，它会检查＆LT;地点＆gt; 的权限。然后它看起来通过配置的其余部分，并最终将请求映射的URI到文件系统。现在，终于，它可以检查＆LT;目录＆GT; 的权限以及的.htaccess

A request comes in (from the user's web browser). Your web server (in this example, Apache) receives this. First, it checks the <Location> permissions. Then it looks through the rest of the configuration, and eventually maps the request URI to the filesystem. Now, finally, it can check <Directory> permissions as well as .htaccess.

如果其中任何权限检查失败（例如，所有拒绝），阿帕奇停止处理该请求，并返回一个错误（或要求提供用户名和放大器;密码在HTTP基本认证的情况下）。

If any of those permission checks fails (e.g., deny from all), Apache stops processing the request, and sends back an error (or request for username & password in the case of HTTP Basic authentication).

一旦所有的权限检查通过，阿帕奇查看文件，并注意到它的一个的.php 文件。某处在您（或您的虚拟主机的）Apache的配置，有一个的AddHandler 指令，告诉Apache通过这个请求的PHP引擎（可能是mod_php的，或通过快速CGI）。 （对于大多数的文件，它，而不是将文件发送到浏览器中的内容，但脚本文件，因为的AddHandler 的特别的。）

Once all the permission checks pass, Apache looks at the file, and notices that its a .php file. Somewhere in your (or your web host's) Apache config, there is an AddHandler directive that tells Apache to pass this request on to the PHP engine (which could be mod_php, or via fast cgi). (For most files, it instead sends the contents of the file to the browser. But script files are special, because of that AddHandler.)

现在，PHP读取你的脚本文件。然后，它还会读取您的包含文件的直接的。这不回去通过Apache，因此像的.htaccess 不适用。这也意味着，你的PHP包含的没有的需要在你的文档根目录。他们可以在任何地方的PHP程序可以访问（基于UNIX权限和PHP配置）。设置一个include_dir在php.ini中可以很容易地把这些地方。

Now, PHP reads your script file. It then also reads your include files directly. This doesn't go back through Apache, so things like .htaccess do not apply. It also means that your PHP includes do not need to be in your document root. They can be anywhere that the PHP process can access (based on UNIX permissions and PHP configuration). Setting an include_dir in your php.ini makes it easy to put these wherever.

客户端JavaScript通过用户的浏览器中运行。这不是跨preTED服务器端（如PHP是）。因此，用户必须能够访问它，就像用户必须能够访问你的.html文件。

Client-side JavaScript is run by the user's browser. It isn't interpreted server-side (like PHP is). So the user must be able to access it, just like the user must be able to access your .html files.

因此​​，简而言之：

您可以把一个的.htaccess 与所有在你的PHP拒绝include目录。 PHP的包括指令不通过Apache的，所以它不会在意。理想情况下，你甚至不把你的PHP包含在你的文档根目录下的。 您不能为JavaScript这样做，因为JavaScript的访问经历阿帕奇（就像html的，巴纽等访问）。 You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all. You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).