I have problem I'm using my folder as 'includes' and there are all files with extension .php so I wanna block this folder, when someone "hacker" want to write in url path to for instance file responsible for connection to database. But other files can using this files to make a diffrent operations.
inside your "includes" directory create a file ".htaccess" with a row "deny from all". It will prevent browser access to your files inside Includes directory.
Related
For a file transfer system, I store data on my server. The data can be accessed using a URL, for example:
http://filestorage.example.com/files/clientfiles/clientid/test.pdf
All files inside the folder clientid/ are linked on a generated download page for the client, For example:
http://example.com/download.php?clientid=28692692846
Above URL contains a webpage with multiple links to all files inside the clientid folder:
<a href="http://filestorage.example.com/files/clientfiles/clientid/test.pdf" download>
test.pdf
</a>
Now I want to restrict the access to the files. It should be impossible to access the files from outside, they should only be accessible from the download.php.
Is it even possible to achieve something like this?
Files and the script are on the same server.
The simplest way I can think of to accomplish this would be to use a unique session variable generated on the files inside the /clientid folder - regardless of what the file extension is for these, they'd be simple PHP pages which loaded the files via download.php.
session_start();
$_SESSION['file_id'] = $secret_file_id;
header("Location: http://example.com/download.php?clientid=28692692846");
Then in the download.php file, check for this variable.
session_start();
if((isset($_SESSION['file_id'])) && ($_SESSION['file_id'] == $secret_file_id)) {
// Offer file for download
} else {
//Not referred from correct URL, reject.
}
You can put a .htaccess file in that folder that contains just:
deny from all
In this way you cannot open any file from that folder, but you can include them in php without any problems.
Yes, you can achieve this through .htaccess using:
order deny,allow
deny from all
allow from example.com/download.php
This will deny everyone access unless they visit via example.com/download.php.
If you're using Apache 2.4, then you would need to use:
Require all denied
Require host example.com/download.php
Obviously you would need to place the .htaccess file into the folder that you wish to restrict access too. So if I'm understanding your file structure correctly that would be /clientid/
For my app I decided to change the directory of static and public content to another domain.
However, I had troubles about the copy of files into folders.
I decided to restrict the access of subdomain to a specific path. Indeed, when you log in to the ftp, you can't show the subfolders
So atm, this is what I have :
A domain www.domain.com
A subdomain www.static.domain.com
Ftp logs which only allow me to show the content of www.static.domain.com
Then, I wish to copy files and directories after user's register. I can create folders, but I can't copy files...
The getcwd() function returns me this :
/datas/vol2/xxxx/var/www/domain.com/htdocs
instead of
/datas/vol2/xxxx/var/www/static.domain.com/htdocs
That's why I can't copy the index.html file at the root of the subdomain to each folders i'm going to create.
Do you have any ideas about that ?
Thanks for answers
T
What about the "copy" or "move" Command?
I have a simple php image upload form that saves the images in a temporary folder, lets call it temp, and when the image is approved by me I manually copy it to the album folder.
My question is, if there is a way for someone or I don't know, a search engine maybe to find "guess" my temp folder and what images are inside ( before approve ).
You wrote it yourself:
The temp is inside public_html
Doesn't that answer your question?
If this is not desirable, create a .htaccess file inside the temp folder, with this content:
Deny from all
It depends on the location of the temp folder. If the folder lies outside the root directory of your server its not discoverable but if it lies inside the root directory it is discoverable. However you can limit the access to your temp folder if its inside the root of the server through htaccess. Or you can place a index.php file inside the folder with a header redirect so that no one can see the file(image) list.
How can I define a route to a .php file in my webroot folder?
Thank you
Edit:
How can I render a file in the webroot folder from a controller? I need this because I am using Auth.
I'm guessing you're trying to password/Auth protect a file in the webroot folder. If so, you're on the wrong track. Files in the webroot are served as-is by default and are bypassing Cake entirely. Any file you put in the webroot is by definition "public". To protect it, you'll need to store it someplace else outside the webroot. You can then serve this file from a controller using the Media View. Your URL would look like, for example, /files/download/foo, which maps to FilesController::download('foo') via normal routes.
I'm new to php and hope you can make me figure out whether I'm trying to do anything impossible.
I have two folders 'public' (root directory), and 'library' (all php files here), these folders are in same level of folder hierachy. my public/index.php is basically loading another php file (say aa.php) which is in 'library' folder on the loadup. Now I need to create a anchor link to file call bb.php which is also inside library folder.
I tried create anchor as follows
echo " my bb file
But I'm getting 404 error saying localhost/bb.php can not be accessed. I guess this is because bb.php file is not with in root directory and server is preventing direct access to this file.
Please help me to overcome this problem.
Thank you
If library/ and public/ are at the same level, the webserver will not be able to serve the files in library/. Typically, files in a library directory would be included by files in the public web folder.
If you need to use the bb.php directly, you will have to move it to public or a folder within public. And then from within public/bb.php you can include library files
/* public/bb.php */
include("/path/to/webroot/library/file.php");
Move bb.php into the folder "public".