PHP Developers Network

I have a folder 'noentry' with htaccess file inside of it. The code is like so:


with include, everything works fine. But in js, there's no include, and so I cannot access php files inside 'noentry' folder from my js files. How do I get around this? adding allow from 127.0.0.1 will open security hole since request header can be faked, so I don't put it in the htaccess

PHP and Javascript are used primarily for serving applications from a remote server to a local client (browser). I'm sure that's what drove the design of these languages. You are evidently using a browser that happens to be on the same server hardware, so you are thinking in terms of Javascript being able to have access to local files, but that is a special situation that is not how these languages are used, for the most part. Javascript normally has no possibility of accessing files on the server except by sending a request to a PHP script on the server.

yes, I'm currently tweaking the codes on the server machine, so all codes are run and modified in the same machine. So how do I solve this matter? to I need to delegate the calling of those php from another php?

for ajax calls so no page refresh. my php outside noentry folder will get their 'secret material' handled by the php inside the noentry folder. that's where javascript comes in.

Oh, OK, then that should be simple. Your Ajax request should be sent to an unprotected PHP script that includes the protected files.

but won't that open a hole where anyone can issue an their own home-made ajax request to mimic the ajax from the real web application?

okay, I see that my post has been moved to security thread. thanks. any workaround on this subject?

What califdon said pretty much sums it up. The AJAX target script has to be visible and there's no workaround for that. You need to write secure code and there's no cheating that.

Moreover your idea that you can write insecure code and then stick it behind a "deny from all" is fallacious: you are still going to include that code from web-facing scripts and you still need the code inside to be safe to execute. Limiting direct access to include files is good, but not a substitute for secure coding.

Could you please explain more about this 'secure coding'? are you referring to sanitizing?