Restricting script access, but not web

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
blaher
Forum Newbie
Posts: 3
Joined: Tue Oct 27, 2009 12:56 pm
Location: East Sparta, OH

Restricting script access, but not web

Post by blaher »

I'll have to set up a example, so I can explain this better.
Say I have the following directory setup:

/public_html/
- /config.php
- /index.php
- /inc/
- /site1/
- /site2/

In /public_html I have the domain rootsite.com pointing to /public_html/ I have site1.com pointing to /public_html/site1/ and site2.com to /public_html/site2/.

Site1 and site2 are my friend's sites.

Now the problem is there could be a injected file in /site1 that uses:

Code: Select all

 
<?php
    include('../config.php');
    echo $password,'\n';
    include('../site2/config.php');
    echo $password,'\n';
 
    $fh = fopen('../index.php', 'w');
    fwrite($fh, "You've been hacked\n");
    fclose($fh);
?>
 
I want to restrict this somehow from happening, without blocking web access.
User avatar
akuji36
Forum Contributor
Posts: 190
Joined: Tue Oct 14, 2008 9:53 am
Location: Hartford, Connecticut

Re: Restricting script access, but not web

Post by akuji36 »

blaher
Forum Newbie
Posts: 3
Joined: Tue Oct 27, 2009 12:56 pm
Location: East Sparta, OH

Re: Restricting script access, but not web

Post by blaher »

akuji36 wrote:Take a look at this
http://www.wmtips.com/php/simple-ways-r ... -using.htm
thanks
Rod
That's not what I want. Please read my question more thoroughly.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Restricting script access, but not web

Post by kaisellgren »

PHP can't really do much about it. It's the web server's responsibility. "Shared hosting" is the term.
Post Reply