Securing a folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
terryvanduzee
Forum Newbie
Posts: 8
Joined: Fri May 23, 2008 11:52 pm

Securing a folder

Post by terryvanduzee »

Hello

I have placed all my form documents in a folder of their own called Forms.
Is there any way for me to secure the folder so that the only way to open the file is when a specific file calls the page?

I have implemented a captcha, but because I do not want the web spiders to spider the names of the actual forms, I would like to protect it from the outside.

Other than the admin (me), only the calling captcha page should be able to access it.

Thank you for any suggestions.

Terry
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing a folder

Post by Mordred »

(Assuming you will include those files from PHP)

1. Move them outside of the web root (include with ../../blabla)
2. Deny direct access to the files with .htaccess (better: deny access to the whole Forms folder)

I can't figure out what the CAPTCHA has to do with the question, am I missing something?
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Securing a folder

Post by Bruno De Barros »

Mordred, if I use htaccess to deny access to the Forms folder, will I be able to access them using PHP, nevertheless?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Securing a folder

Post by pickle »

.htaccess only re-routes requests coming via Apache. When PHP include()s a file, .htaccess files aren't invoked.

Short answer: yes.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: Securing a folder

Post by Verminox »

You could also try setting a $_SESSION variable after completing the CAPTCHA, something like $_SESSION['human'] = true, and for in every form include, check this session variable first, or else kill the script. Yes it mean's having to put some code at the top of every file, but it would be more user-friendly if the user is going to use multiple forms in the same session. It would be very annoying for a user to solve a CAPTCHA every 2 minutes.
terryvanduzee
Forum Newbie
Posts: 8
Joined: Fri May 23, 2008 11:52 pm

Re: Securing a folder

Post by terryvanduzee »

I apologize for the late reply here,,, go caught up in some "need to do stuff".

Thank you for your replies

I think moving the folder to the root is probably the best thing to do. One question first though.
If I move the folder to the root, will the path be visible to the outside world through the php code on the pages.
Im suspecting not because I believe only the results of the php code are sent to the browser; is this correct?

Thank you so much
Terry
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: Securing a folder

Post by Verminox »

If your files are outside the webroot, I can't access them via a URL directly. But PHP that runs on the server can access them. So the only way is if a user calls a PHP script in the webroot which in turn include()s the files. So if your PHP script in the webroot has got the necessary validation correct, then you shouldn't have any issues.
Post Reply