Page 1 of 1

php security problem please help

Posted: Sat May 16, 2009 12:21 pm
by realnsleo
hi everyone .. i have just finished developing a web application i hope to put on the www very soon. however my application has various folders that i dont want the public to access directly through a URL for example the images, config and includes folder which contain database and php scripts containing classes and functions and so on..
secondly in the includes folder for example i have a file called functions.php. so when someone accesses http://www.mysitename.com/includes/functions.php, i want a message to be output saying file cannot be accessed.

can anyone please tell me how i can go about this. thank you

Re: php security problem please help

Posted: Sat May 16, 2009 12:40 pm
by ldougherty
Is this on Windows or Linux?

On Windows just remove the IUSR permissions on the folders you do not want internet viewable

On Linux set the appropriate permissions for the folders, ie 640 or you can password protect the directories as well.

Re: php security problem please help

Posted: Sat May 16, 2009 1:19 pm
by kaisellgren
Is there a reason why the files are essentially placed in public?

Why do you not construct your site like this:
/home/account/myproj/functions.php
/home/account/public_html/index.php

Re: php security problem please help

Posted: Sat May 16, 2009 1:27 pm
by Darhazer
If the web server is apache, you can use .htaccess to protect folders... deny access to the files, deny directory listing, etc. And if you have paid hosting, you can always ask your hosting support.

Re: php security problem please help

Posted: Sat May 16, 2009 6:30 pm
by realnsleo
thanks guys .. oh and i'm hosting the site on linux servers. where can i get more information about .htaccess?

Re: php security problem please help

Posted: Sat May 16, 2009 6:47 pm
by Benjamin
Google.

Anyhow, kaisellgren provided the best solution - moving configuration and system files above the webroot.

Another solution is to define a variable as a constant in files that are ok to access. All of your config and system files can then verify that this variable has been defined before executing.

Something like this:

Code: Select all

 
define('IS_AUTHORIZED', true);
 

Code: Select all

 
if (!is_defined('IS_AUTHORIZED')) {
    header('HTTP/1.1 403 Forbidden');
    exit('Permission Denied');
}
 
You should also block access using .htaccess however, even with the method I mentioned. All of your important/private files should be in a single folder. You can then block access to just that folder.

Re: php security problem please help

Posted: Sat May 16, 2009 6:53 pm
by ldougherty