php security problem please help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
realnsleo
Forum Newbie
Posts: 15
Joined: Sat May 16, 2009 12:08 pm

php security problem please help

Post by realnsleo »

hi everyone .. i have just finished developing a web application i hope to put on the www very soon. however my application has various folders that i dont want the public to access directly through a URL for example the images, config and includes folder which contain database and php scripts containing classes and functions and so on..
secondly in the includes folder for example i have a file called functions.php. so when someone accesses http://www.mysitename.com/includes/functions.php, i want a message to be output saying file cannot be accessed.

can anyone please tell me how i can go about this. thank you
ldougherty
Forum Contributor
Posts: 103
Joined: Sun May 03, 2009 11:39 am

Re: php security problem please help

Post by ldougherty »

Is this on Windows or Linux?

On Windows just remove the IUSR permissions on the folders you do not want internet viewable

On Linux set the appropriate permissions for the folders, ie 640 or you can password protect the directories as well.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php security problem please help

Post by kaisellgren »

Is there a reason why the files are essentially placed in public?

Why do you not construct your site like this:
/home/account/myproj/functions.php
/home/account/public_html/index.php
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: php security problem please help

Post by Darhazer »

If the web server is apache, you can use .htaccess to protect folders... deny access to the files, deny directory listing, etc. And if you have paid hosting, you can always ask your hosting support.
realnsleo
Forum Newbie
Posts: 15
Joined: Sat May 16, 2009 12:08 pm

Re: php security problem please help

Post by realnsleo »

thanks guys .. oh and i'm hosting the site on linux servers. where can i get more information about .htaccess?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: php security problem please help

Post by Benjamin »

Google.

Anyhow, kaisellgren provided the best solution - moving configuration and system files above the webroot.

Another solution is to define a variable as a constant in files that are ok to access. All of your config and system files can then verify that this variable has been defined before executing.

Something like this:

Code: Select all

 
define('IS_AUTHORIZED', true);
 

Code: Select all

 
if (!is_defined('IS_AUTHORIZED')) {
    header('HTTP/1.1 403 Forbidden');
    exit('Permission Denied');
}
 
You should also block access using .htaccess however, even with the method I mentioned. All of your important/private files should be in a single folder. You can then block access to just that folder.
ldougherty
Forum Contributor
Posts: 103
Joined: Sun May 03, 2009 11:39 am

Re: php security problem please help

Post by ldougherty »

Post Reply