Page 1 of 1

Hide or prevent a page, a folder from users

Posted: Wed Jan 14, 2009 11:50 am
by morris520
Hi

I met a problem unsolved and want to put it here though it is not much PHP-related.

I have a folder in my server called ../a/
and in the folder there are view.php, update.php and delete.php

update and delete page actually make changes to the database so I want to find out a way to prevent user to access it.

But in case users know the actual address, like http://www.example.com/a/update.php, and they key in. they can still access to the page and the code is still running. So any hints to achieve that?

Also they can access to the folder "a" to have a look at what files are store. Then they can click that file to have access. This will make my site easily to hack.

So anyone can provide me a help?
Many thanks

Re: Hide or prevent a page, a folder from users

Posted: Wed Jan 14, 2009 1:10 pm
by kaisellgren
Make a session based system where a valid login is needed to execute those operations.

Re: Hide or prevent a page, a folder from users

Posted: Wed Jan 14, 2009 4:56 pm
by aibanez
Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!

Re: Hide or prevent a page, a folder from users

Posted: Wed Jan 14, 2009 5:44 pm
by kaisellgren
aibanez wrote:Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!
Theoretically it's always possible to find out the files if they are within the document root. Just protect them with a password and use sessions so that the user does not need to type the password constantly.

Re: Hide or prevent a page, a folder from users

Posted: Wed Jan 14, 2009 11:42 pm
by morris520
kaisellgren wrote:
aibanez wrote:Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!
Theoretically it's always possible to find out the files if they are within the document root. Just protect them with a password and use sessions so that the user does not need to type the password constantly.

I guess kai will suggest these codes?

Code: Select all

 
session_start();
 
if(!isset($_SESSION['admin'])) // if the user is not admin
{
      header(location: index.php);  // redirect to the index page
}
 
 
Is this a problem when it is a file to be included? This works and users cant actually get the page, like what does in sending forms. Another other approach?

Re: Hide or prevent a page, a folder from users

Posted: Thu Jan 15, 2009 3:20 am
by Mordred
This is a good approach, use it.
After the header('Location ...) line put an exit(), or the rest of the script will continue executing...

Re: Hide or prevent a page, a folder from users

Posted: Thu Jan 15, 2009 8:50 am
by aibanez
I think that ths is a good approach too.
Just in case... I was used to create an Index.php in the different directories .. so when a user types in the browser http://www.example.com/a/ the blank index.php is displayed and the content of the diretory is not displayed.
What do you think????
I'm a very begginer on PHP.... :wink:

Re: Hide or prevent a page, a folder from users

Posted: Thu Jan 15, 2009 11:16 am
by kaisellgren
aibanez wrote:I think that ths is a good approach too.
Just in case... I was used to create an Index.php in the different directories .. so when a user types in the browser http://www.example.com/a/ the blank index.php is displayed and the content of the diretory is not displayed.
What do you think????
I'm a very begginer on PHP.... :wink:
Well it's the only proper approach if you can not put the files outside the public root directory. Well, of course classic "enter password" is sufficient, but I doubt you want to retype the password each time -- so you need to create a system that is somewhat similar to PHP's built-in Session system -- or use the built-in session system which is recommended for beginners.

If the files under /a/ are protected properly, it does not matter whether you have index.php file or not. If the attacker accesses the /a/ he gets nothing according to your case. Now the attacker knows the folder exists since it gives him nothing instead of a 404 error. You could of course copy the very same 404 error your server generates and put it inside the index.php and thus making the cracker unaware of the folder's existence. However, if you are writing a script that is going to be run on different servers (an open script available to download) then you can't know how the 404 error pages look. I've been trying to get around this without success, I've tried to read Apache default 404 files and use PHP to output those, but there are lots of trials and errors and they are not really worth it.

Re: Hide or prevent a page, a folder from users

Posted: Thu Jan 15, 2009 11:20 am
by kaisellgren
morris520 wrote:I guess kai will suggest these codes?

Code: Select all

 
session_start();
 
if(!isset($_SESSION['admin'])) // if the user is not admin
{
      header(location: index.php);  // redirect to the index page
}
 
 
Is this a problem when it is a file to be included? This works and users cant actually get the page, like what does in sending forms. Another other approach?
Yes Kai suggests that approach. :)

But be aware, that code alone is not safe -- just the approach itself. exit() after header() like Mordred said, also search for Session Hijacking, Session Fixation, CSRF to furthern protect yourself.

Re: Hide or prevent a page, a folder from users

Posted: Thu Jan 15, 2009 1:59 pm
by aibanez
Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.

Can anybody help with some examples to achieve what I need???

Thank you in advance

Re: Hide or prevent a page, a folder from users

Posted: Fri Jan 16, 2009 10:06 am
by morris520
aibanez wrote:Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.

Can anybody help with some examples to achieve what I need???

Thank you in advance
Maybe the only and easiest way to do is to hide the actual location from users. I just found you can put a index.php/html/asp to your folder to prevent users seeing your whole directory.

Then you need to deal with your form pages. Hide the processing page like update.php maybe adding some md5 to the tail to be come update.php?sdrjlxjclf42dfg so users can never try to guess the real address.

I've got the same problem with you. I don't actually need a username and password to execute SESSION approach. So I figure out this. Hope that helps.

Re: Hide or prevent a page, a folder from users

Posted: Fri Jan 16, 2009 10:48 am
by kaisellgren
aibanez wrote:Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.
Why on earth are you using $_SESSION if you do not need user authentication?
morris520 wrote:Maybe the only and easiest way to do is to hide the actual location from users. I just found you can put a index.php/html/asp to your folder to prevent users seeing your whole directory.

Then you need to deal with your form pages. Hide the processing page like update.php maybe adding some md5 to the tail to be come update.php?sdrjlxjclf42dfg so users can never try to guess the real address.

I've got the same problem with you. I don't actually need a username and password to execute SESSION approach. So I figure out this. Hope that helps.
Index.php will "remove" the directory index if the server is configured to do so which most likely is the case.

So you do not require any passwords to run actions of your forms, I guess the form is then a public form like a registration form, login form, etc? If so, why do you need to hide the file where the form data is sent to. If you have a form then an attacker always knows the file the form is sent to. Obviously.

I do not understand what you both are trying to achieve. Maybe you could provide us "real life" explanation of your website like what files do you have and what they do.