PHP Developers Network
http://forums.devnetwork.net/

access protected file without include
http://forums.devnetwork.net/viewtopic.php?f=34&t=136179
Page 1 of 1

Author:  global_erp_solution [ Sun Jul 08, 2012 9:58 pm ]
Post subject:  access protected file without include

I have a folder 'noentry' with htaccess file inside of it. The code is like so:
Syntax: [ Download ] [ Hide ]
Order Deny,Allow
Deny from all
 


with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess

Author:  califdon [ Sun Jul 08, 2012 10:23 pm ]
Post subject:  Re: access protected file without include

PHP and Javascript are used primarily for serving applications from a remote server to a local client (browser). I'm sure that's what drove the design of these languages. You are evidently using a browser that happens to be on the same server hardware, so you are thinking in terms of Javascript being able to have access to local files, but that is a special situation that is not how these languages are used, for the most part. Javascript normally has no possibility of accessing files on the server except by sending a request to a PHP script on the server.

Author:  global_erp_solution [ Sun Jul 08, 2012 10:46 pm ]
Post subject:  Re: access protected file without include

yes, I'm currently tweaking the codes on the server machine, so all codes are run and modified in the same machine. So how do I solve this matter? to I need to delegate the calling of those php from another php?

Author:  califdon [ Sun Jul 08, 2012 11:27 pm ]
Post subject:  Re: access protected file without include


Author:  global_erp_solution [ Sun Jul 08, 2012 11:44 pm ]
Post subject:  Re: access protected file without include

for ajax calls so no page refresh. my php outside noentry folder will get their 'secret material' handled by the php inside the noentry folder. that's where javascript comes in.

Author:  califdon [ Sun Jul 08, 2012 11:49 pm ]
Post subject:  Re: access protected file without include

Oh, OK, then that should be simple. Your Ajax request should be sent to an unprotected PHP script that includes the protected files.

Author:  global_erp_solution [ Mon Jul 09, 2012 12:12 am ]
Post subject:  Re: access protected file without include

but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?

Author:  califdon [ Mon Jul 09, 2012 11:27 am ]
Post subject:  Re: access protected file without include


Author:  global_erp_solution [ Mon Jul 09, 2012 9:23 pm ]
Post subject:  Re: access protected file without include

okay, I see that my post has been moved to security thread. thanks. any workaround on this subject?

Author:  Mordred [ Tue Jul 10, 2012 5:30 am ]
Post subject:  Re: access protected file without include

What califdon said pretty much sums it up. The AJAX target script has to be visible and there's no workaround for that. You need to write secure code and there's no cheating that.

Moreover your idea that you can write insecure code and then stick it behind a "deny from all" is fallacious: you are still going to include that code from web-facing scripts and you still need the code inside to be safe to execute. Limiting direct access to include files is good, but not a substitute for secure coding.

Author:  global_erp_solution [ Wed Jul 11, 2012 12:10 am ]
Post subject:  Re: access protected file without include

Could you please explain more about this 'secure coding'? are you referring to sanitizing?

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/