[SOLVED] Restrict file access from outside
Moderator: General Moderators
[SOLVED] Restrict file access from outside
Hi
I think this may be related to htaccess.
I have a directory called includes where a lot of scripts in the root call scripts in include (include_once("include/scripta.php")).
I want these include scripts never to be called from outside - like someone typing the url in the browser (http://xxx.com/include/scripta.php). These are meant only to be called from scripts in root or elsewhere in the my host.
How do I do this ?
Thanks.
I think this may be related to htaccess.
I have a directory called includes where a lot of scripts in the root call scripts in include (include_once("include/scripta.php")).
I want these include scripts never to be called from outside - like someone typing the url in the browser (http://xxx.com/include/scripta.php). These are meant only to be called from scripts in root or elsewhere in the my host.
How do I do this ?
Thanks.
Last edited by anjanesh on Sun Mar 20, 2005 12:37 am, edited 1 time in total.
hawleyjr : Thats precisely what I did - all my include scripts are in include directory under root. But if an error occurs, PHP will show the error with line no: and the file name where it occurred. And that time it'll show Error in line n in include/scriptx.php. Thats when others can find out that include directory consists of this script and so.
feyd : You mentioned this before in a prev post - but I'll have keep creating some variable for all my scripts for these purposes.
But isnt there any htaccess way to have this done ? I was hoping 2-5 lines in htaccess will do all this for all my files I add in include directory.
feyd : You mentioned this before in a prev post - but I'll have keep creating some variable for all my scripts for these purposes.
But isnt there any htaccess way to have this done ? I was hoping 2-5 lines in htaccess will do all this for all my files I add in include directory.
Thats just one way. What if someone did find out that theres a scripta in include directory and execute it by going to http://xxx.com/include/scripta.php ? I want Apache not to allow that at any cost. It should be only be allowed within other scripts which call it using include, require etc.
Where is this below you're talking abt ?
xxx.com
|
|-public_html
| |
| |
| |-include
|
|
|-include
|
|
|-etc
I see...you mean the include right under xxx.com and not under public_html.
I can access them by giving ../include in include function.
Fine this is good.
Web Host using Red Hat Linux : In case theres a htaccess method please do let me know.
xxx.com
|
|-public_html
| |
| |
| |-include
|
|
|-include
|
|
|-etc
I see...you mean the include right under xxx.com and not under public_html.
I can access them by giving ../include in include function.
Fine this is good.
Web Host using Red Hat Linux : In case theres a htaccess method please do let me know.
Feyd, I see why your solution is easier, if you don't have access to mod .htaccess but from a security standpoint, isn't it better to have files such as db connection below the document root where a user has no way to reach the file via a URL?
What happens if your code looks like this (In every include)
And a user enters a url such as this:
http://www.example.com/somepage.php?myS ... +or+number
What happens if your code looks like this (In every include)
Code: Select all
if(!isset($mySecurityVar) || $mySecurityVar !== 'some phrase or number'){
echo 'Hello World';
exit;
}else{
//run file
}http://www.example.com/somepage.php?myS ... +or+number
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
this magic variable is a code level constant. It has no bearing on URL data.
As for Apache's flexibility in htaccess.. yes, there is some.. read the docs, you'll learn lots. http://httpd.apache.org/docs/howto/htaccess.html
As for Apache's flexibility in htaccess.. yes, there is some.. read the docs, you'll learn lots. http://httpd.apache.org/docs/howto/htaccess.html
This is not working. I can execute a file within the browser in include directory.
.htaccess file in include directory.
Once this works I'll add Allow from localhost
.htaccess file in include directory.
Code: Select all
<Files ~ "e;\.php$"e;>
Order Deny,Allow
Deny from all
</Files>