Page 1 of 2
[SOLVED] Restrict file access from outside
Posted: Sat Mar 19, 2005 9:24 pm
by anjanesh
Hi
I think this may be related to htaccess.
I have a directory called includes where a lot of scripts in the root call scripts in include (include_once("include/scripta.php")).
I want these include scripts never to be called from outside - like someone typing the url in the browser (
http://xxx.com/include/scripta.php). These are meant only to be called from scripts in root or elsewhere in the my host.
How do I do this ?
Thanks.
Posted: Sat Mar 19, 2005 9:26 pm
by hawleyjr
Create a directory below the document root and store the files there.
Posted: Sat Mar 19, 2005 9:29 pm
by feyd
a potentially easier way: if a certain constant isn't defined, die().. you could also make them output nothing if called directly, which can be found through some playing around with some server variables and the __FILE__ constant.
There are many ways.
Posted: Sat Mar 19, 2005 9:35 pm
by anjanesh
hawleyjr : Thats precisely what I did - all my include scripts are in include directory under root. But if an error occurs, PHP will show the error with line no: and the file name where it occurred. And that time it'll show Error in line n in include/scriptx.php. Thats when others can find out that include directory consists of this script and so.
feyd : You mentioned this before in a prev post - but I'll have keep creating some variable for all my scripts for these purposes.
But isnt there any htaccess way to have this done ? I was hoping 2-5 lines in htaccess will do all this for all my files I add in include directory.
Posted: Sat Mar 19, 2005 9:37 pm
by hawleyjr
If its an error message your worried about why don't you turn off error reporting?
Posted: Sat Mar 19, 2005 9:41 pm
by anjanesh
Thats just one way. What if someone
did find out that theres a scripta in include directory and execute it by going to
http://xxx.com/include/scripta.php ? I want Apache not to allow that at any cost. It should be only be allowed within other scripts which call it using include, require etc.
Posted: Sat Mar 19, 2005 9:42 pm
by hawleyjr
If you put the script below the document root a user can't get to it via a URL.
Posted: Sat Mar 19, 2005 9:44 pm
by hawleyjr
I meant to include this in my last post.....
Here is an example of a dir on a server I've used before:
xyz.com
|_htdocs
|_includefiles
|_tmp
|_cgi-bin
|_etc
The user can only see what is in the htdocs directory.
Posted: Sat Mar 19, 2005 9:46 pm
by feyd
keep adding more variables? You create one.. then just check for it in all the includes. Using code is independant of folder settings, customizable, and allows for other servers that don't support .htaccess.
Posted: Sat Mar 19, 2005 9:52 pm
by anjanesh
Where is this below you're talking abt ?
xxx.com
|
|-public_html
| |
| |
| |-include
|
|
|-include
|
|
|-etc
I see...you mean the include right under xxx.com and not under public_html.
I can access them by giving ../include in include function.
Fine this is good.
Web Host using Red Hat Linux : In case theres a htaccess method please do let me know.
Posted: Sat Mar 19, 2005 9:53 pm
by hawleyjr
Feyd, I see why your solution is easier, if you don't have access to mod .htaccess but from a security standpoint, isn't it better to have files such as db connection below the document root where a user has no way to reach the file via a URL?
What happens if your code looks like this (In every include)
Code: Select all
if(!isset($mySecurityVar) || $mySecurityVar !== 'some phrase or number'){
echo 'Hello World';
exit;
}else{
//run file
}
And a user enters a url such as this:
http://www.example.com/somepage.php?myS ... +or+number
Posted: Sat Mar 19, 2005 9:56 pm
by feyd
if you're allowed to do such things, yes.. however, I have to write my code to be flexible and allow for varying policies regarding where files can be stored.. So I use code as a fall back, to make sure (in case someone screws up permissions or whatever)
Posted: Sat Mar 19, 2005 10:02 pm
by anjanesh
I dont have much knowledge in htaccess but I thought Apache server had a great deal of flexibility inorder for web developers do such things.
Posted: Sat Mar 19, 2005 10:10 pm
by feyd
this magic variable is a code level constant. It has no bearing on URL data.
As for Apache's flexibility in htaccess.. yes, there is some.. read the docs, you'll learn lots.
http://httpd.apache.org/docs/howto/htaccess.html
Posted: Sat Mar 19, 2005 10:33 pm
by anjanesh
This is not working. I can execute a file within the browser in include directory.
.htaccess file in include directory.
Code: Select all
<Files ~ "e;\.php$"e;>
Order Deny,Allow
Deny from all
</Files>
Once this works I'll add Allow from localhost