access protected file without include

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

access protected file without include

Post by global_erp_solution »

I have a folder 'noentry' with htaccess file inside of it. The code is like so:

Code: Select all

Order Deny,Allow
Deny from all
with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: access protected file without include

Post by califdon »

PHP and Javascript are used primarily for serving applications from a remote server to a local client (browser). I'm sure that's what drove the design of these languages. You are evidently using a browser that happens to be on the same server hardware, so you are thinking in terms of Javascript being able to have access to local files, but that is a special situation that is not how these languages are used, for the most part. Javascript normally has no possibility of accessing files on the server except by sending a request to a PHP script on the server.
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

Re: access protected file without include

Post by global_erp_solution »

yes, I'm currently tweaking the codes on the server machine, so all codes are run and modified in the same machine. So how do I solve this matter? to I need to delegate the calling of those php from another php?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: access protected file without include

Post by califdon »

global_erp_solution wrote:I have a folder 'noentry' with htaccess file inside of it. The code is like so:

Code: Select all

Order Deny,Allow
Deny from all
with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess
I'm not quite sure what you are trying to achieve. No doubt you are trying to protect certain files from direct access, but you can't possibly use Javascript to access server files anyway. Maybe if you describe what you need to do I might be able to offer suggestions. I understand that you are merely in the development process right now, but what is it that you want to protect in the production environment, and why is Javascript involved at all?
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

Re: access protected file without include

Post by global_erp_solution »

for ajax calls so no page refresh. my php outside noentry folder will get their 'secret material' handled by the php inside the noentry folder. that's where javascript comes in.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: access protected file without include

Post by califdon »

Oh, OK, then that should be simple. Your Ajax request should be sent to an unprotected PHP script that includes the protected files.
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

Re: access protected file without include

Post by global_erp_solution »

but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: access protected file without include

Post by califdon »

global_erp_solution wrote:but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?
That's always going to be possible. If your browser script can do it, then anyone can copy the approach. We have some security experts here in the forums, and I'm not one of them, so you might want to post in our PHP - Security forum, asking the question as a security question, not a coding question.
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

Re: access protected file without include

Post by global_erp_solution »

okay, I see that my post has been moved to security thread. thanks. any workaround on this subject?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: access protected file without include

Post by Mordred »

What califdon said pretty much sums it up. The AJAX target script has to be visible and there's no workaround for that. You need to write secure code and there's no cheating that.

Moreover your idea that you can write insecure code and then stick it behind a "deny from all" is fallacious: you are still going to include that code from web-facing scripts and you still need the code inside to be safe to execute. Limiting direct access to include files is good, but not a substitute for secure coding.
global_erp_solution
Forum Commoner
Posts: 25
Joined: Sun Jul 08, 2012 6:47 am

Re: access protected file without include

Post by global_erp_solution »

Could you please explain more about this 'secure coding'? are you referring to sanitizing?
Post Reply