My concern is what if someone else includes
http://www.example.com/includes/functions.php in their script, and
starts calling my functions to make API calls using my credentials?
Should functions.php live somewhere else, perhaps outside of the
~/public_html dir? Or perhaps I can use UNIX permissions to prevent
anyone but my own apps to include the functions.php script?
You are mixing up a lot of things here. And the long story short: You should not worry. I gave a full explanation on how include works with URLs in this answer. Below is a summary for your purposes.
Specifically, while one could use include
to include full URLs like include('http://www.google.com/');
the only thing you get from that include
is the final rendered content of the page. 100% none of the functions, classes, variables, strings, constants or anything contained in the internals of that PHP code. Or as very clearly explained in the PHP documentation you are linking to; emphasis mine:
If "URL include wrappers" are enabled in PHP, you can specify the file
to be included using a URL (via HTTP or other supported wrapper - see
Supported Protocols and Wrappers for a list of protocols) instead of a
local pathname. If the target server interprets the target file as PHP
code, variables may be passed to the included file using a URL request
string as used with HTTP GET. This is not strictly speaking the same
thing as including the file and having it inherit the parent file's
variable scope; the script is actually being run on the remote server
and the result is then being included into the local script.
So you cannot include credentials remotely—or any PHP internals—in the way you describe. The only way that could happen is if ~/public_html/includes/functions.php
were included locally. That is when PHP internals are exposed.
Or the better way to understand this: When you request a PHP file via http://
or https://
it is parsed & processed via the PHP module in Apache. So it only returns the final product—if any—post often conveyed by an echo
statement.
But when you include a file via the local file system it is not parsed by the PHP module in Apache. It is simply raw code. And that is how you can use the functions, classes, variables, strings, constants and anything contained in the internals of that PHP code.