PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jul 22, 2018 7:54 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
PostPosted: Sun Jul 08, 2012 9:58 pm 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
I have a folder 'noentry' with htaccess file inside of it. The code is like so:
Syntax: [ Download ] [ Hide ]
Order Deny,Allow
Deny from all
 


with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess


Top
 Profile  
 
PostPosted: Sun Jul 08, 2012 10:23 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
PHP and Javascript are used primarily for serving applications from a remote server to a local client (browser). I'm sure that's what drove the design of these languages. You are evidently using a browser that happens to be on the same server hardware, so you are thinking in terms of Javascript being able to have access to local files, but that is a special situation that is not how these languages are used, for the most part. Javascript normally has no possibility of accessing files on the server except by sending a request to a PHP script on the server.


Top
 Profile  
 
PostPosted: Sun Jul 08, 2012 10:46 pm 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
yes, I'm currently tweaking the codes on the server machine, so all codes are run and modified in the same machine. So how do I solve this matter? to I need to delegate the calling of those php from another php?


Top
 Profile  
 
PostPosted: Sun Jul 08, 2012 11:27 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
global_erp_solution wrote:
I have a folder 'noentry' with htaccess file inside of it. The code is like so:
Syntax: [ Download ] [ Hide ]
Order Deny,Allow
Deny from all
 

with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess

I'm not quite sure what you are trying to achieve. No doubt you are trying to protect certain files from direct access, but you can't possibly use Javascript to access server files anyway. Maybe if you describe what you need to do I might be able to offer suggestions. I understand that you are merely in the development process right now, but what is it that you want to protect in the production environment, and why is Javascript involved at all?


Top
 Profile  
 
PostPosted: Sun Jul 08, 2012 11:44 pm 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
for ajax calls so no page refresh. my php outside noentry folder will get their 'secret material' handled by the php inside the noentry folder. that's where javascript comes in.


Top
 Profile  
 
PostPosted: Sun Jul 08, 2012 11:49 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Oh, OK, then that should be simple. Your Ajax request should be sent to an unprotected PHP script that includes the protected files.


Top
 Profile  
 
PostPosted: Mon Jul 09, 2012 12:12 am 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?


Top
 Profile  
 
PostPosted: Mon Jul 09, 2012 11:27 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
global_erp_solution wrote:
but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?

That's always going to be possible. If your browser script can do it, then anyone can copy the approach. We have some security experts here in the forums, and I'm not one of them, so you might want to post in our PHP - Security forum, asking the question as a security question, not a coding question.


Top
 Profile  
 
PostPosted: Mon Jul 09, 2012 9:23 pm 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
okay, I see that my post has been moved to security thread. thanks. any workaround on this subject?


Top
 Profile  
 
PostPosted: Tue Jul 10, 2012 5:30 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
What califdon said pretty much sums it up. The AJAX target script has to be visible and there's no workaround for that. You need to write secure code and there's no cheating that.

Moreover your idea that you can write insecure code and then stick it behind a "deny from all" is fallacious: you are still going to include that code from web-facing scripts and you still need the code inside to be safe to execute. Limiting direct access to include files is good, but not a substitute for secure coding.


Top
 Profile  
 
PostPosted: Wed Jul 11, 2012 12:10 am 
Offline
Forum Commoner

Joined: Sun Jul 08, 2012 6:47 am
Posts: 25
Could you please explain more about this 'secure coding'? are you referring to sanitizing?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group