Page 1 of 1

Preventing Access to Directory Path From Client Browsers

Posted: Tue Jun 03, 2008 9:23 am
by parka
How can I prevent access to a directory when users type in the URL address?

E.g. Users should be redirected back to homepage when accessing, let's say, the 'inc' directory.
- webpage.com/inc
- webpage.com/inc/login_user.php
- webpage.com/inc/data/registration.php

But I would need the PHP scripts to be able to access the 'inc' folder because the processing files are there.

I tried mod_rewrite, but it would redirect the address with everything appended behind.
If I try to access "http://webpage.com/inc/somefile.php", I would get redirected to "http://webpage.com/somefile.php". It should be redirected to "http://webpage.com" instead. Wondering if it's the right place to use mod_rewrite

Thanks in advance for any help.

Re: Preventing Access to Directory Path From Client Browsers

Posted: Tue Jun 03, 2008 12:50 pm
by vargadanis
The solution is a lot simpler. Either you add .htaccess file and deny all, or set up Apache config file to deny all to access (includes will still be possible if I remember OK) or simply add an index.html or php file to the dir which redirects from the URL. Also I would add a robots.txt file so that bots would not includes the content of the dir into their databases.

Code: Select all

<script>window.location="../index.php"</script>

Re: Preventing Access to Directory Path From Client Browsers

Posted: Tue Jun 03, 2008 11:10 pm
by parka
Thanks.

If I were to just put a "index.php" file in every directory, does that solve anything? It might be harder for intruders to understand the directory structure. If the intruders type in something like "http://webpage.com/inc/login.php", they will get a blank document parsed back.

I'm just worried about security.

Re: Preventing Access to Directory Path From Client Browsers

Posted: Wed Jun 04, 2008 2:03 am
by vargadanis
Yes... Security is an issue that all programmers need to consider. However an .htaccess file might solve the problem. I do not quite know how but I think it is possible to deny all requests from browsers but not from the server. Therefore it provides relative safety. IT is possible by editing the apache virtual hosts file as well if you can access it.

Re: Preventing Access to Directory Path From Client Browsers

Posted: Wed Jun 04, 2008 4:19 am
by Mordred
Best solution is to place include files outside of the web root
Next best thing is to .htaccess Deny

Re: Preventing Access to Directory Path From Client Browsers

Posted: Thu Jun 12, 2008 7:48 am
by mpetrovich
parka wrote:I tried mod_rewrite, but it would redirect the address with everything appended behind.
If I try to access "http://webpage.com/inc/somefile.php", I would get redirected to "http://webpage.com/somefile.php". It should be redirected to "http://webpage.com" instead. Wondering if it's the right place to use mod_rewrite
What you are asking can be done. You have an error in your mod_rewrite.

If you want to be really strict, you can redirect anything that does not fall in desired folders to be redirected to a home page. Now, what is great is that mod_rewrite does not affect PHP scripts and your ability to include things.

Code: Select all

<Files .htaccess>
order allow,deny
deny from all
</Files>
DirectoryIndex index.php
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !^(.*)/images/(.*)$
RewriteCond %{REQUEST_FILENAME} !^(.+)/robots.txt$
RewriteCond %{REQUEST_FILENAME} !^(.*)/index.php$
RewriteRule ^(.*)\.* index.php?$1
So, if you did something like this, you could only access the images directory and the robots.txt file. Everything else that tried to be accessed would pop into index.php. Now, the way I wrote this, the query string for index.php will be the file name (the $1). So, if someone accessed "/inc/somefile.php" the server would run index.php and send in "/inc/somefile.php" as the Query String. Your index.php can then figure out what to do with that.