Correctly Setting the .htaccess file.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
TaAngel1962
Forum Newbie
Posts: 10
Joined: Thu Dec 11, 2008 7:26 pm
Contact:

Correctly Setting the .htaccess file.

Post by TaAngel1962 »

Hi

Ok, Here of late well present actually, I have had some issues with sites, I never had none with in over a year they have been up. I was reading posts about the php.ini file. I know the php.ini are similar but quite different in ways.

Can someone tell me the correct way to have a excellent .htaccess file on the server to help stop security problems.
This .htaccess files was edited from a friend of mine, so after seeing many examples, I don't think mine is set correctly and could be causing problems for me now.

Example of .htaccess file I have :
_____________________________

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName http://www.mydomain.info
AuthUserFile /home/xxxx/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/xxxxxs/public_html/_vti_pvt/service.grp
php_flag register_globals on

I have been doing php for a few years and I am still new very new at some od the major issues with it, settings etc. And, I would like to know if this is set right or what I need to do to make it more secure. Also, the correct way to make sure of security in a php.ini.

Thanks
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Correctly Setting the .htaccess file.

Post by requinix »

My opinion on the matter:

- Disable indexes. If you forget an index.htm (or whatever the "default" file is) then the user gets a directory listing.
- Having a Deny All and an Allow All doesn't make sense. There's no point for that Limit.
- Turn off register_globals

Code: Select all

# -FrontPage-
 
Options -Indexes
 
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName http://www.mydomain.info
AuthUserFile /home/xxxx/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/xxxxxs/public_html/_vti_pvt/service.grp
php_flag register_globals off
User avatar
TaAngel1962
Forum Newbie
Posts: 10
Joined: Thu Dec 11, 2008 7:26 pm
Contact:

Re: Correctly Setting the .htaccess file.

Post by TaAngel1962 »

Hi

Thanks for your response. I tried turning off the globals, but the site wont run without it. Any Ideas on how to bypass this problem. When I tried turning the globals off, the site wont even come up period.

Even though I have been in php editing for a few years, I should know all this, but I am still learning more and more each day. I would love for the globals to be turned off but as I mentioned the site will not run without the globals turned on.

Thanks
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Correctly Setting the .htaccess file.

Post by requinix »

If there are a lot of files then going through and fixing the code isn't really an option. You're stuck leaving it on then.

But when you make new files, or if you're editing a file and have a chance, make sure you write code that doesn't rely on register_globals.
User avatar
TaAngel1962
Forum Newbie
Posts: 10
Joined: Thu Dec 11, 2008 7:26 pm
Contact:

Re: Correctly Setting the .htaccess file.

Post by TaAngel1962 »

Hi

Thanks for your fast reply. Oh this one I didn't write, this was a script which I purchased a long time ago, and installed and it was running fine as I mentioned for over a year and then the other day Boooom problems??

I corrected the lines and reuploaded, still with "globals on" and I still get the error. But I also noticed and have never seen this before in all my web designing years and all the years I have been doing scripts and chmoding etc. I have several .htaccess's in the root in the subdomains and in image folders. I have never ever seen this before.

But I also am aware of by leaving "globals on" the sites which are using this script is just waiting for an attack.....and I don't want this. But, how or cant I re-write the .htaccess to somehow turn the globals off, when needed ???

Thanks
Post Reply