SSI Include Virtual vs File

[QA]

When I use file=, it only works when the included file is with the shtml
file. When I do ../xxx or /xxxx/xxxx, it is not working.

Virtual works perfectly, however I hate to use virtual, because it means I
have to open up the directory to public, as virtual can only access file if
the file is open to public as well. It is a security hole.

 

[Hywel]

When I use file=, it only works when the included file is with the shtml
file. When I do ../xxx or /xxxx/xxxx, it is not working.

Virtual works perfectly, however I hate to use virtual, because it means I
have to open up the directory to public, as virtual can only access file if
the file is open to public as well. It is a security hole.

Visitors won't see the path to the included file, though, as it will
have been parsed when the parent page is served. Put your includes in
their own directory with a default document, so if anyone manages to
guess the include directory, simply browsing it won't get them very far.

 

[Greg Hewitt-Long]

When I use file=, it only works when the included file is with the shtml
file. When I do ../xxx or /xxxx/xxxx, it is not working.

Virtual works perfectly, however I hate to use virtual, because it means I
have to open up the directory to public, as virtual can only access file if
the file is open to public as well. It is a security hole.

..htaccess (if supported):

Options -Indexes

(assuming your has enabled your ability to override server wide
settings via .htaccess (try the above .htaccess file in a folder and
attempt to list the folder directory using a browser) - if it comes
back with an internal server error, you probably don't have the
ability to do this. If it returns a "forbidden" (probably a 403 error
code), then you have it working.

You can also put in a 403 redirect page that returns them to your home
page (or anywhere else you want them redirected to).

hth

GH-L