chmod question
Moderator: General Moderators
chmod question
I want to secure the folder on my site that contains my php includes. one of the inc files contains the log-in for the database. Currently, if someone knows the actual file name, they can display it in a browser. If I set chmod to 700, then some features on the site stop working. Can I use chmod for this purpose, or is there a better way to secure these files?
Thanks for any suggestions.
Thanks for any suggestions.
Re: chmod question
To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):
Code: Select all
// *** Make sure the file isn't accessed directly
if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) {
//Give out an "access denied" error
echo "access denied";
//Block all other code
exit();
}
Re: chmod question
The best way would be to put the included scripts outside of the document root where they are not accessible directly.
Re: chmod question
Thanks for the responses. The stripos solution is interesting but did not work for me. Putting the file outside the root would simply be a little inconvenient for me as it is a file I edit VERY often. It works best for me to use FTP access to the site subdirectory while working on the site files.
I read of a solution I like in the security chapter of "Programming PHP" where one changes the Apache server as follows, but the book doesn't tell where to put the code snippet, and I wonder if I can make this change in a shared hosting environment. Any thoughts?
I read of a solution I like in the security chapter of "Programming PHP" where one changes the Apache server as follows, but the book doesn't tell where to put the code snippet, and I wonder if I can make this change in a shared hosting environment. Any thoughts?
Code: Select all
<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>Re: chmod question
Why is it viewable in a browser?
If you have php variables, nobody will know what they are.
eg. sample db.php
If I were to pull up mydomain.com/inc/db.php using that code only a blank page would be shown.
If you have php variables, nobody will know what they are.
eg. sample db.php
Code: Select all
<?php
$dbh = mysql_connect('localhost', 'username', 'password');
mysql_select_db('mydatabase', $dbh);Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: chmod question
Why is it viewable in a browser?
Because if someone actually types the url to the file, it will be viewable. I've tried it myself and inded, the code is viewable.
Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk, but I am now collaborating with someone who believes it would be best to make it impossible for anyone to directly view the include file.
Because if someone actually types the url to the file, it will be viewable. I've tried it myself and inded, the code is viewable.
Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk, but I am now collaborating with someone who believes it would be best to make it impossible for anyone to directly view the include file.
Re: chmod question
The misunderstanding here is that you have named your includes .inc
If you would name them somefile.inc.php the source will not be shown when someone visits the file.
As pytrin suggested, best is top place them outside doc root. Second best is to deny acces to the directory the files are in. After that rely on the fact that the source of php files is not shown
If you would name them somefile.inc.php the source will not be shown when someone visits the file.
As pytrin suggested, best is top place them outside doc root. Second best is to deny acces to the directory the files are in. After that rely on the fact that the source of php files is not shown
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: chmod question
Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.Robert07 wrote:To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):Code: Select all
// *** Make sure the file isn't accessed directly if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) { //Give out an "access denied" error echo "access denied"; //Block all other code exit(); }
It is a risk and as already noted, you are better off placing the files outside doc root.rhecker wrote:Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk,
Re: chmod question
OK, so I'm convinced. I will put the file above the root
But how do I call a file above the root?
I tried the following, but it doesn't work:
I get a message "Page not found". Am I doing this wrong?
But how do I call a file above the root?
I tried the following, but it doesn't work:
Code: Select all
$path = "http://".$_SERVER ['SERVER_ADDR'];
include ($path . "/myfile.php");Re: chmod question
Good point, the example I pulled from actually was checking to make sure the filename was index.php, but that was a site where everything was included from the index page so it made sense. In my effort to make the example generic it lost it's usefulness...Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: chmod question
Don't include URIs. See viewtopic.php?f=34&t=106984rhecker wrote:I tried the following, but it doesn't work:I get a message "Page not found". Am I doing this wrong?Code: Select all
$path = "http://".$_SERVER ['SERVER_ADDR']; include ($path . "/myfile.php");