Page 1 of 1
Securing a folder
Posted: Sun May 25, 2008 6:21 pm
by terryvanduzee
Hello
I have placed all my form documents in a folder of their own called Forms.
Is there any way for me to secure the folder so that the only way to open the file is when a specific file calls the page?
I have implemented a captcha, but because I do not want the web spiders to spider the names of the actual forms, I would like to protect it from the outside.
Other than the admin (me), only the calling captcha page should be able to access it.
Thank you for any suggestions.
Terry
Re: Securing a folder
Posted: Mon May 26, 2008 12:52 am
by Mordred
(Assuming you will include those files from PHP)
1. Move them outside of the web root (include with ../../blabla)
2. Deny direct access to the files with .htaccess (better: deny access to the whole Forms folder)
I can't figure out what the CAPTCHA has to do with the question, am I missing something?
Re: Securing a folder
Posted: Mon May 26, 2008 5:30 am
by Bruno De Barros
Mordred, if I use htaccess to deny access to the Forms folder, will I be able to access them using PHP, nevertheless?
Re: Securing a folder
Posted: Mon May 26, 2008 10:14 am
by pickle
.htaccess only re-routes requests coming via Apache. When PHP include()s a file, .htaccess files aren't invoked.
Short answer: yes.
Re: Securing a folder
Posted: Mon May 26, 2008 1:49 pm
by Verminox
You could also try setting a $_SESSION variable after completing the CAPTCHA, something like $_SESSION['human'] = true, and for in every form include, check this session variable first, or else kill the script. Yes it mean's having to put some code at the top of every file, but it would be more user-friendly if the user is going to use multiple forms in the same session. It would be very annoying for a user to solve a CAPTCHA every 2 minutes.
Re: Securing a folder
Posted: Tue May 27, 2008 10:14 am
by terryvanduzee
I apologize for the late reply here,,, go caught up in some "need to do stuff".
Thank you for your replies
I think moving the folder to the root is probably the best thing to do. One question first though.
If I move the folder to the root, will the path be visible to the outside world through the php code on the pages.
Im suspecting not because I believe only the results of the php code are sent to the browser; is this correct?
Thank you so much
Terry
Re: Securing a folder
Posted: Thu May 29, 2008 7:45 am
by Verminox
If your files are outside the webroot, I can't access them via a URL directly. But PHP that runs on the server can access them. So the only way is if a user calls a PHP script in the webroot which in turn include()s the files. So if your PHP script in the webroot has got the necessary validation correct, then you shouldn't have any issues.