Page 1 of 1

php includes, and other files, above wwwroot

Posted: Sat Dec 04, 2010 3:34 pm
by SGC
I learned, as best practice, to stick my secure includes,scripts, and anything I don't want the public to have URL access to, in folders above the wwwroot.

Example: website.com/index.htm is under /root/htdoc/index.htm and an include folder might be /root/hiddenstuff/.

Anything under htdoc is accessible by the public, anything under hiddenstuff is only accessible by server scripts/root user.

Unfortunately, my current host (fatcow using apache/php5) doesn't allow this file structure. What I have access to looks like
site_root/
and
site_root/cgi-bin/
...no access to the folder above site_root (and yes I contacted the host to verify this.)

My question: Is there some way to mimic the functionality I am used to (maybe via htaccess?) I'd like to force all requests to site_root/ down a level to a new directory: site_root/ -> site_root/fake_htdoc/. If I can do this I might be able to fake an above wwwroot directory. Unfortunately, my htaccess/php skills are a bit rusty and I'm running out of ideas. Suggestions?

Re: php includes, and other files, above wwwroot

Posted: Sun Dec 05, 2010 1:36 am
by Zyxist
Unfortunately you can't do that from PHP level. It's a HTTP server issue. Although you can protect scripts by adding a detection whether they are included or called directly, but you won't protect in this way other files (i.e. configuration). Personally, I would keep writing to the host asking for reconfiguring your account, because such providers should be buried to the ground.

Re: php includes, and other files, above wwwroot

Posted: Tue Dec 07, 2010 9:25 pm
by SGC
Well, I was able to manage a, mostly viable, work around with an .htaccess rewrite that forces everyone out of a directory (sort of a faked sub-root). But you are right, servers should not... EVER... be configured this way. It is, in fact, the first time I'd come across it and I will most likely not be using them for future projects.

Re: php includes, and other files, above wwwroot

Posted: Fri Dec 17, 2010 4:27 pm
by jarofgreen
Simpler: Stick all your private files in one folder, .htaccess in it says "Deny from all". Job done.
(Test this with an image file to make sure your server config allows this)

Re: php includes, and other files, above wwwroot

Posted: Fri Dec 17, 2010 4:33 pm
by greyhoundcode
I appreciate this isn't quite what you are after (just an idea to bear in mind) but as a security measure it is not uncommon to test for a constant and exit if it does not exist. So if you have a script you don't want to be accessed directly you could add something like this as the first line of code:

Code: Select all

// Of course you will need to define the constant before calling ...
defined('APPLICATION_CONSTANT') or die('Unauthorised access');