php as cgi permissions and includes

Newbie to programming here.

Am I understanding this correctly: Running php as cgi means that I can keep my include files for my php scripts in a dir in my public web space, set the permissions to 700 or even 500 and my script can read them as owner, but they will be protected and secure from the public?

If not, how exactly to I write the include in my scripts and where do I keep them?

tried "include_once('/home/*my username*/*dir_outside_of_webspace*/foo.php');
and, of course, it couldn't find or load the file.

I want to do some MySQL PHP programming and don't want to try it on a public server until I at least kinow how to protect my database login info.

Thanks for your help.

include_once("../dir_outside/foo.php");

Providing your PHP script is within the root directory of your website.

And running it as CGI vs Apache module, as far as you're concerned, means nothing. No difference.

THANKS!

If you want to chime in on any other tips for php security on dreamhost (or in general) I'd like to hear it. I'm just getting going at this.

again, THANKS.

Simple, always use the DB's quoting options. If you're using mysql, always use mysql_real_quotes() around ALL string types. Always use intval(), floatval(), doubleval(), etc around ALL numerical type data (most common you'll use is intval() unless it has a decimal then it's floatval()).

NEVER use direct user input within SQL queries. Everything has to be cleaned up some how. Using the above methods will work best. Never assume the user entered what you expected.

When writing a form mail script; NEVER EVER accept the "to" field from within user input. Always hard code your "To:" value or grab it from the DB or something. Never rely on a hidden input field or query string, this just opens up your script for spammers to use their own TO address to send loads of main through your script.

And that's all I can think of right off hand. Those are the two top issues with scripts. If you're using PHP5, I'd also suggest turning on E_STRICT by adding error_reporting(E_STRICT) to the top of your scripts. Code it right the first time so you don't develop any bad habits. Don't rely on HTTP_*_VAR (long_array_vars) as they'll go poof in PHP6. Don't EVER use register_globals, addslashes() or magic_quotes and they are security holes in your script.

Okay, think I'm done now. :p

I'm sure if Simon sees this post, he might have more to add. He definatly knows his stuff, too.

I can't thank you enough for taking the time to provide your insight. I'm sure it will save me hours of coding and recoding. Trying to learn good habits from the outset.

A couple more newbie questions. I understand if you don't have time to answer them, but I'm going to toss them out there anyway:

1. The first projects I'm working on are forms. Are you saying that the TO: address should be included from a file outside of web space? Right now its a variable in the page $form_recipient="foo@bar.com"; and therefore is not delivered to the browser...right? How easy is it for someone to get the actual unparsed script out of the "form.php" file in my webspace?

2. I'm assuming I'm parsing my scripts through php 4.x.x. I don't have php5 checked in the domain setup, just PHP as CGI. Register_globals is enabled in php4. The first canned script I'm trying to learn from sets 3 global variables in a custom function in the included file-
function f($i){
global $this,$that,$the_other;

Is this a security issue in any way? Should I get in the habit of initializing ALL VARIABLES and setting them as false even though they seem innocuous?

3. Only using MySQL locally until I can learn more: Magic_quotes is on on the DH PHP4 and PHP5 installations. Are you saying:

if (get_magic_quotes_gpc()) {
$_GET = magic_quotes_stripslashes($_GET);
$_POST = magic_quotes_stripslashes($_POST);
$_COOKIE = magic_quotes_stripslashes($_COOKIE);
$_REQUEST = magic_quotes_stripslashes($_REQUEST);
}
in all my scripts and then learn to escape input on a case-by-case basis with mysql_real_quotes() , intval(), floatval(), doubleval(), etc? I had previously been advised to stripslashes and then to USE addslashes() on the inputs that were going into the Db. Is addslashes() ok for non Db scripts?

Well, many thanks to anyone who even bothers to READ all these questions, much less answer them. Although, consider that newbies like me are out there and the server you save may be your own :)