hi everyone .. i have just finished developing a web application i hope to put on the www very soon. however my application has various folders that i dont want the public to access directly through a URL for example the images, config and includes folder which contain database and php scripts containing classes and functions and so on..
secondly in the includes folder for example i have a file called functions.php. so when someone accesses http://www.mysitename.com/includes/functions.php, i want a message to be output saying file cannot be accessed.
can anyone please tell me how i can go about this. thank you
php security problem please help
Moderator: General Moderators
-
ldougherty
- Forum Contributor
- Posts: 103
- Joined: Sun May 03, 2009 11:39 am
Re: php security problem please help
Is this on Windows or Linux?
On Windows just remove the IUSR permissions on the folders you do not want internet viewable
On Linux set the appropriate permissions for the folders, ie 640 or you can password protect the directories as well.
On Windows just remove the IUSR permissions on the folders you do not want internet viewable
On Linux set the appropriate permissions for the folders, ie 640 or you can password protect the directories as well.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: php security problem please help
Is there a reason why the files are essentially placed in public?
Why do you not construct your site like this:
Why do you not construct your site like this:
/home/account/myproj/functions.php
/home/account/public_html/index.php
Re: php security problem please help
If the web server is apache, you can use .htaccess to protect folders... deny access to the files, deny directory listing, etc. And if you have paid hosting, you can always ask your hosting support.
Re: php security problem please help
thanks guys .. oh and i'm hosting the site on linux servers. where can i get more information about .htaccess?
Re: php security problem please help
Google.
Anyhow, kaisellgren provided the best solution - moving configuration and system files above the webroot.
Another solution is to define a variable as a constant in files that are ok to access. All of your config and system files can then verify that this variable has been defined before executing.
Something like this:
You should also block access using .htaccess however, even with the method I mentioned. All of your important/private files should be in a single folder. You can then block access to just that folder.
Anyhow, kaisellgren provided the best solution - moving configuration and system files above the webroot.
Another solution is to define a variable as a constant in files that are ok to access. All of your config and system files can then verify that this variable has been defined before executing.
Something like this:
Code: Select all
define('IS_AUTHORIZED', true);
Code: Select all
if (!is_defined('IS_AUTHORIZED')) {
header('HTTP/1.1 403 Forbidden');
exit('Permission Denied');
}
-
ldougherty
- Forum Contributor
- Posts: 103
- Joined: Sun May 03, 2009 11:39 am