[SOLVED] Restrict file access from outside

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

[SOLVED] Restrict file access from outside

Post by anjanesh »

Hi
I think this may be related to htaccess.
I have a directory called includes where a lot of scripts in the root call scripts in include (include_once("include/scripta.php")).
I want these include scripts never to be called from outside - like someone typing the url in the browser (http://xxx.com/include/scripta.php). These are meant only to be called from scripts in root or elsewhere in the my host.
How do I do this ?
Thanks.
Last edited by anjanesh on Sun Mar 20, 2005 12:37 am, edited 1 time in total.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Create a directory below the document root and store the files there.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

a potentially easier way: if a certain constant isn't defined, die().. you could also make them output nothing if called directly, which can be found through some playing around with some server variables and the __FILE__ constant.

There are many ways.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

hawleyjr : Thats precisely what I did - all my include scripts are in include directory under root. But if an error occurs, PHP will show the error with line no: and the file name where it occurred. And that time it'll show Error in line n in include/scriptx.php. Thats when others can find out that include directory consists of this script and so.

feyd : You mentioned this before in a prev post - but I'll have keep creating some variable for all my scripts for these purposes.

But isnt there any htaccess way to have this done ? I was hoping 2-5 lines in htaccess will do all this for all my files I add in include directory.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

If its an error message your worried about why don't you turn off error reporting?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Thats just one way. What if someone did find out that theres a scripta in include directory and execute it by going to http://xxx.com/include/scripta.php ? I want Apache not to allow that at any cost. It should be only be allowed within other scripts which call it using include, require etc.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

If you put the script below the document root a user can't get to it via a URL.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

I meant to include this in my last post.....


Here is an example of a dir on a server I've used before:

xyz.com
|_htdocs
|_includefiles
|_tmp
|_cgi-bin
|_etc

The user can only see what is in the htdocs directory.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

keep adding more variables? You create one.. then just check for it in all the includes. Using code is independant of folder settings, customizable, and allows for other servers that don't support .htaccess.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Where is this below you're talking abt ?
xxx.com
|
|-public_html
| |
| |
| |-include
|
|
|-include
|
|
|-etc

I see...you mean the include right under xxx.com and not under public_html.
I can access them by giving ../include in include function.
Fine this is good.
Web Host using Red Hat Linux : In case theres a htaccess method please do let me know.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Feyd, I see why your solution is easier, if you don't have access to mod .htaccess but from a security standpoint, isn't it better to have files such as db connection below the document root where a user has no way to reach the file via a URL?

What happens if your code looks like this (In every include)

Code: Select all

if(!isset($mySecurityVar) || $mySecurityVar !== 'some phrase or number'){

echo 'Hello World';
exit;
}else{
//run file
}
And a user enters a url such as this:

http://www.example.com/somepage.php?myS ... +or+number
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

if you're allowed to do such things, yes.. however, I have to write my code to be flexible and allow for varying policies regarding where files can be stored.. So I use code as a fall back, to make sure (in case someone screws up permissions or whatever)
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I dont have much knowledge in htaccess but I thought Apache server had a great deal of flexibility inorder for web developers do such things.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

this magic variable is a code level constant. It has no bearing on URL data.

As for Apache's flexibility in htaccess.. yes, there is some.. read the docs, you'll learn lots. http://httpd.apache.org/docs/howto/htaccess.html
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

This is not working. I can execute a file within the browser in include directory.
.htaccess file in include directory.

Code: Select all

<Files ~ &quote;\.php$&quote;>
Order Deny,Allow
Deny from all
</Files>
Once this works I'll add Allow from localhost
Post Reply