I have been told that for security reasons all PHP data handling files should be located outside of the website root directory. I have a website hosted in IIS 10 with the includes folder outside the root. Something like this:- website: C:\inetpub\wwwroot\index.php and PHP files C:\includes\submit.inc.php This is obviously not working since http:\localhost\includes\submit.inc.php doesn't exists. The submit.inc.php is a file that AJAX uses to send form data back to the server.
So, should I be worried about PHP file separation in the first place, and if so, how can I reference files outside website physical path in IIS?
Thanks.
You should have PHP files (or a file if you are using the Front Controller pattern) that are inside the root.
These provide endpoints (i.e. have URLs) that browsers and other clients can make requests to.
From there you can load the dependencies from outside the root using require_once.
The primary goal of keeping your data processing outside the root is to protect your business logic and security credentials from leaking if an HTTP server configuration error causes your PHP files to be served up raw instead of processing them with PHP.
This isn't served by keeping all your PHP outside the root.
Related
I followed this tutorial and it describes how to connect to a database using an Android app.
I need to create a folder structure similar to the one below:
My Question is where in a real server should the proposed files be placed?
I have a path of Home Directory/My Domain/....(folders)... so do I place that structure inside or outside My Domain folder.., and if outside how I am going to access them if I use the following?
require_once 'OUTSIDEFOLDER/include/Config.php';
Shouldn't I be blocked by permissions?
My Question is where in a real server should place the proposed files?
You must place your file.php in the www folder.
For example, if you have a WAMP server installed, you must place all your files (e.g. file.php, etc) in a path like c:\{wampPathInstalled}\www\mywebsite, where {wampPathInstalled} is the path where WAMP is installed on the C drive (or if it is another drive, use that drive letter instead).
You can access the scripts by running http://localhost/mywebsite/myfile.php in a browser.
Tell me what is your real server (IIS or other) & I can indicate where the best place is in your case.
if you use plesk, your response must be in this link.
Well ideally for productions websites I would create a directory for every site hosted and place at a location that will require sudo privileges for modifying, reading or deleting files. Therefore the directory could be inside /var/www or you could create one inside /var/data. I would always place all the configuration information for a site in a separate config file, this file will then be included in only files that requires that information. Furthermore implement your application using MVC approach where the application is served through one common router and also provide appropriate permissions to directories based on things they are doing avoid unnecessary read, write, execute permissions everywhere to your app. Hope this helps
I have a few PHP scripts that generate word documents into a folder.
The PHP scripts are locked down with a login session, however if you know the right URL the documents are accessible.
How do I lock down the directory from being accessible from a url but still maintain read and write access for the PHP scripts? Currently the chmod for the directory is set to 777. Can this be set with the folder permissions?
You place the documents at the wrong location in your file system.
Do not place the documents inside the document root and you do not have to protect them. There is not need to place them exactly in there. There is no limit to still accessing such documents from php when they are stored elsewhere. So create yourself a folder outside the document root and that's it.
General rule of thumb:
never place objects inside the document root that are not meant to be accessed directly by web requests.
documents meant to be offered for download should not be offered directly but by a handler script instead.
I've been wondering: is it possible to shield a directory/file on a server from the outside world, but make it accessible to PHP?
It's fairly simple. I'm caching webpages on my server with PHP in a certain directory, but I do not want web users to view these files or this directory directly. PHP, on the other hand, must be able to access these files (to serve them to the user). That may sound not logical, but what I'm trying to do is restrict users certain pages and still be able to cache them in a webserver-savvy format.
Preferably something with .htaccess or chmod.
Thanks!
Absolutely-- in fact, you don't need to use .htaccess. Simply put the protected directory above your document root (that is, store it next to the folder where your PHP scripts are store, typically "htdocs," "httpdocs" or sometimes just "www').
So your web files would be in /my/folders/httpdocs/, and your "protected" files would be in /my/folders/protected_folder/
The idea here is that PHP can access any folder on the server, but Apache won't let the user navigate "above" the root directory.
To access the directory, you can use:
$protected_path = $_SERVER['DOCUMENT_ROOT'].'/../protected_folder/';
(Incidentally, you mentioned you're doing this to cache pages-- you might want to look at Smarty, the PHP template engine, which pre-compiles your templates and also supports really smart caching. And in fact, one of the Smarty "best practices" is to configure your structure so the template and cache files are not in or below the document_root folder, so users coming in from Apache can never get to them, but the Smarty PHP code can easily grab whatever it needs from there.)
Sure, just place the files in a directory outside of your web root. For instance, if your web root is /usr/local/apache/htdocs/ you can create a /usr/local/apache/private_cache/ directory that PHP should have access to, but there is no way to get to it via a web request.
You can also put a .htaccess file consisting of the line deny from all in the directory you want to protect. That will prevent Apache (but not PHP) from serving up the files.
I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look.
It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server.
My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there?
TIA,
Monte
Using .htaccess adds overhead since Apache has another item it needs to check for and process.
Keeping files out of web root isn't being paranoid, it's good practice. What happens if someone accesses one of the "include" files directly and it throws out revealing errors because all the pre-requisite files weren't loaded?
Each file needs to have it's own security checks to make sure it is running under the expected environment. Each executable file in a web accessible area is a potential security hole.
It really depends on what you have in your include_files. The most important thing is that you put any credentials you have outside of the document root ( database logins, etc ). Everything else really is secondary and doesn't matter that much.
If you don't want anyone stealing your source code then try to follow Zend conventions:
application
library
public
DocumentRoot points to public and that just contains media files, js/css files. HTML/views, db logic, conf/credentials are in application. Third party libraries are in library.
Theoretically, if you just stick a .htaccess file in the folder, you could still have the .php files called directly.
Taking them out of the server root; however, keeps them from be accessed ever by someone who is browsing your website.
Notice, this is a remote server, I don't have access to it, only to the FTP. I want to do this using purely PHP, not .htaccess. Is there a way similar to .net, where you put the web.config file and you set who can access it and their password?
I'd say the equivalent of that kind of functionnality from web.config on Apache is with .htaccess files : PHP is used to generate pages, but if you are trying to work at the directory level, the check has to come before PHP is even called.
In your PHP scripts, you can access the data of HTTP Authentication ; see $_SERVER, especially PHP_AUTH_USER and PHP_AUTH_PW ; but the protection will be at the file's level, and not directory -- and, obviously, it will be enforced only for PHP files (not images in a subdirectory, for instance).
For more informations, you can have a look at, for instance : HTTP Basic and Digest authentication with PHP
The right way to do this for an entire directory is definitly with .htpasswd / .htaccess files (or directly in the Apache's configuration file).
Why using PHP? .htaccess files were designed for this purpose. If you're trying to do something like store user logons in a database, look at the something like Mod_auth_mysql
What you can do is place the files outside of your webroot and write a php script to serve those files after passing your authentication logic.
As far as I'm aware there is no way to do this purely in PHP.
If you can use .htaccess but cannot upload it for whatever reason, then I would suggest writing the htaccess via PHP.
Directory protection is always the work of the webserver. Whatever you do in your PHP script, it's the webserver's responsibility to execute the script in the first place. If you try to access another file in the directory, the webserver will hand it to the user without even looking at your script. If the user requests a directory listing, it's the webserver that's handing it to the user.
You will have to configure the webserver correctly, most likely using .htaccess files, if you want to protect real, "physical" directories.