I have been reading on how to protect my .php includes. The main suggested option is to place the .php files I want to protect outside the folder that serves the .php files which is /public_html in my case.
So, I decided to make a folder named /includes and I access my .php includes from the /public_html .php files like ../includes/file.php. This works nicely but I am being a bit paranoid.
Can I go ahead and add an .htaccess with the following line on /includes:
Deny from all
I know the user is not supposed to access the /includes in my case. Though, would that .htaccess file in /includes hurt me in any case?
Thank you.
A really good way is to have a front controller (FC) manage all of your resource requests, and htaccess to route everything to the FC.
Then if someone tries to access something on your site it'll be routed through FC. It will in turn call a router which should only allow loading of files this way which are in a specific directory.
So attempting to navigate to (eg) includes/someScript.php wont work because FC wont route a web request into the includes dir.
This won't affect your requiring them within PHP files as this request wont go through the FC.
Related
I've been using codeigniter for a few months, and for my first couple projects I've just put all the files in the root. It's working okay that way, but a reading of the manual suggests for security reasons the system and application files should be moved--while index.php should be in the root.
I'm starting a new project, going back and reading the directions again, and trying to do exactly what they say to do this time. However, I'm having trouble understanding the following instructions, given in this page of the manual:
"Install the CodeIgniter folders and files to your server. Normally the index.php file will be at your root."
"For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser."
So, reading this, I don't really understand exactly where I am supposed to put the files. Currently, as unzipped, it's a folder I've called codeigniter, with the all the ci files: system, application, user guide, index.php etc.
So my new Web site currently has this structure:
--www.mywebsite.com
------Public
Should I make it this?
--www.mywebsite.com
-----codeigniter
--------application
--------system
--------assets
--------user manual
-----------Public
______________index.php
So basically only index.php would be in my root? (And maybe assets and user manual if I want?)
I did read somewhere that if I move system and application files I need to change their path--that should be easy enough, but I want to make sure I am correctly understanding what the ci manual is suggesting before I invest all the time in making the new setup work properly.
Any help would be much appreciated!
you can do something like this
www.mywebsite.com (folder where its located/root) - (Ex: If AWS - /opt/webapps/mysite/)
other
- application
- system
- assets
index.php
.htaccess <-- mainly to remove index.php from URL and other stuffs as well
then in index.php (on root)
$system_path = 'other/system'; # Line 100
$application_folder = 'other/application'; # Line 117
When calling CSS/JS/Images on assets folder
<link rel="stylesheet" type="text/css" href="<?php echo base_url()?>other/assets/boostrap.css">
Hence you can revoke permission to System folder with the help of .htaccess. (They(Codeigniter Team) already did that). If you open system folder there is file called .htaccess. Open it you can see something like this
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>
What I suggest you to do from security
Set base_url() correctly
Use Codeigniter Input methods. (to prevent injections. read more on this)
Resources of links
Security - Codeigniter.com
Some more about Security - tutorialspoint.com
I am using codeigniter and have put the assets folder in the root of the application that contains a .htaccess file having the content
Deny from all
This is causing problems when I want to connect to the assets folder to get the stylesheets etc. So my question here is is there any way that I can allow the access just to that assets folder, that I have?
I have never used .htacces files so have a very basic knowlege of it. I did some research on my own as well but I wasn't able to find the solution.
In your assets directory add another .htaccess file with the following:
# /assets/.htaccess
Allow from all
And I am assuming in your root directory you have the following (which you will leave):
# /.htaccess
Deny from all
Update: Based on your comment, what you are looking to do is not really possible. The browser needs to have access to your CSS file in order to use it on your page.
So I'm on a 15-day trial of my (already paid) webhosting and they seem very good, at least they did until I got my FTP.
I have a php script that needs a folder outside of the root directory
Example:
website root:
/users/websites/public_html/ <- folder which users / browsers have access to
The script needs a folder here:
/users/websites/ <- above the root
for example /users/websites/sensetive_data/ <- browsers cannot acces this
but that's impossible on my web-host "because it's a shared hosting" <- their answer. And they can't change the root path.
So I cannot create any directories or files above /users/websites/public_html/
So, well, to no cancel my trial immediately, maybe I will try to do it in another way, I want to use htacces to restrict acces to a directory, and all the files in it and it's subdirectories,
So I can move the 'sensetive_data' folder to /users/websites/public_html/sensetive_data
I want it to redirect to the main page (so when accessing /users/websites/public_html/sensetive_data/* [http://example.com/sensetive_data/*] it will go to /users/websites/public_html/ [http://example.com/],
so even if the user knows the exact url, he/she will be redirected. How can I accomplish that?
If you want to do a redirect for a folder, say /users/websites/sensitive_data/
create a file in that folder called .htaccess and add the following (and specify the url to redirect to)
Options -Indexes
ErrorDocument 403 http://mysite.net/
In /users/websites/sensetive_data/.htaccess write:
Deny From All
For your whatever PHP script you need to change it yourself.
I have a website that has an include folder which contains php templates and functions. If a user tries to access that folder. It may not harm website but I don't want my users to see those templates in an UN-organized manner. Instead, I want to restrict the user if he tries to directly access those files within include folder and redirect him to homepage.
Put this in an .htaccess file in that directory:
Deny from all
This is assuming you're using Apache or another web server that knows how to read and process .htaccess files.
For the redirect, instead of Deny from all you could try this instead:
RedirectMatch 301 ^/includes/$ http://www.yoursite.com/
You can configure the server such that this folder is not available to the public. Alternately, structure the site so this folder is below the siteroot - this makes it completely invisible to the public. Simply adjust your include paths and you're done. I prefer this solution, because the files are completely off the radar unless you are logged in and have access to the file system.
Looking some frameworks like Code Igniter I see they use a "defined" check on the syspath to prevent users opening the files from the subfolders, and also an index.html placed on every folder.
Can't I just use a mod_rewrite and get rid of these checks?
Is the mod_rewrite enough to let the users access only the index.php of the entire application?
You can move all the files for your application out of the web root and only have those files there that should be accessible by users.
Place all non-accessible files in folders and then put a new .htaccess file in each folder containing:
order deny,allow
deny from all
This will prevent HTTP access to those folders in Apache (other servers will have equiv. options). We use this to prevent access to incldue/, which contains the libs, static config etc.