Deny access to files and folders within web root without using .htaccess - php

Is it possible to deny access to files and folders within the web root without using .htaccess or file permissions? A universal solution that works with all servers?
This relates to a flat-file framework I'm making with PHP where the requirement is basically "drag the project folder in the web root to launch the site." The other goal is for there to be a front-end interface where the client can log in and edit content.
I deal a lot with shared hosting accounts where I can't always change the web root. Additionally, I don't necessarily want to rely on developers manually setting file permissions. The reason why I don't want to use .htaccess is that, one, it relies on the host being an Apache server, and, two, it relies on specific Apache settings.
EDIT: specificity

This was answered here with a couple of really great answers you'll probably find useful:
Prevent access to files from Apache without .htaccess
The first suggests setting permissions to be inaccessible and CHMODDing them with PHP when you need to access them.
The second suggested you place them outside of your web root but keep them accessible by PHP (using include(), I would assume).
Either or should accomplish what you're hoping. (Wish I could comment stuff like this.)

Related

Where to put PHP files, root directory or public_html directory?

I saw alot of frameworks like Laravel, Zend, Symfony .... and I noticed that they put php files in the root directory, but when I saw WordPress and vBulletin and alot of famous scripts, and I noticed that they put the php files in the public directory.
I wanna know what is the best place to put my PHP files. Root directory or public_html directory? Which is better? and Why! And what is the difference between them?
Assuming by "root directory" you mean somewhere outside of the web server's document root, and that "public_html" is the web server's document root...
It's best practice to only have scripts that must be directly accessible within your web server's doc root. If something happens where PHP gets disabled, you don't want the whole world downloading copies of your source code. Scripts can include files from wherever they can access on disk, so it's possible to only put a loader in the web server's doc root and keep the whole application out of there. This is common and best practice.
Wordpress likely doesn't do this by default because most folks installing Wordpress don't really know what they're doing. It's easier for them to just extract a tarball to one place and not have to worry about it. The ones that do know what they are doing can customize installation paths if desired.

Putting another website along with Zend website

I am working with a website built (not by me) on Zend framework.
I have made a small website (for a Facebook app) built on simple html with custom php (no Facebook API used), which, if put in public/ folder (so that it can be reached via *www.main_site.com/my_small_site*), does not work (I get Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration).
The php.ini on the website, however, contains allow_url_fopen = on, so my guess is that all my php files should be simply put somewhere in the application/ folder, instead of the public/ folder.
The websites don't use shared files, they are independent. And purchasing another hosting is an expensive option.
I am absolutely new to Zend, and learning how to make my own controllers/views will consume too much time, so this is the last option to consider.
How can I solve this problem?
Access .php located in application/ from *public/my_small_site/index.html*? (is it possible without touching the main website's public/index.php?)
Create a new view and put my small website there? (how can I make it accessible from the web?)
Still consider new hosting/subdomain options?
Any other solutions?
Thank you!
public/ is the correct place to put your Facebook app. The error doesn't lie - are you 100% sure the php.ini file you checked is the one being used? I'd suggest you create a phpinfo file as explained here https://kb.mediatemple.net/questions/764/How+can+I+create+a+phpinfo.php+page%3F#gs - this will let you view the configuration PHP is using. See what allow_url_fopen is set to there. If it is set to 'off', there might be a different php.ini file you need to change.
Otherwise, contact your host.

Sub Domain utilizing same application files as root (using PHP)

This question seems really elementary, but I have never had a use for the scenario as of yet, so figure I will get some advice. I am building a complex application with an accompanying API in a LAMP environment.
mydomain.com will be the location of the main service and system.
api.mydomain.com will be the location of all endpoints for my API.
All of the class files, DB config files, etc, will be located at main domain/root folder.
Is there a recommended way to handle this? Or is it as simple as including the required files on the API side/folder?
It all depends on whether api.mydomain.com is on the same server as mydomain.com. If they are, you could allow access to the shared files from both areas by using direct paths. So for example, say you have a structure like this:
/webdata/shared
/webdata/api
/webdata/www
You could simply just do an include like:
include_once('/webdata/shared/config.php');
As it is on the same server, it should be no problem. You should use absolute paths for including, so for example /web/www/htdocs/config.inc.php instead of ../htdocs/config.inc.php, as it would get really confusing.
It would be the best to have a simple pathConf.inc.php in api directory and root directory, containing this absolute path - so you will be able to easily change it afterwards. Then, use this path configured in pathConf.inc.php and include your classes, db configs etc.

Secure folder structure for php site

I'm a Java (SE, EE) developer and I have been working with these techs for almost 6 years, I have also worked with php for non-web apps.
Now I'm required to build a site in php but I have googled a lot and I can't find a standard folder structure for a php site. As may you know in Java EE there is a defined structure and with the web.xml you can define security in order to allow or deny access to folders in the web root.
So the question is: Is there a standard folder structure to bring security in a php site?
If there is not, how can I prevent access to folders in my site, without the need to use .htaccess nor moving my folders to a private area in the web server?
There is no defined structure for PHP projects. Application frameworks invariably use well-defined structures, but that is decided individually by each framework. In addition, the developer can easily work outside these structures (the price being that "automatic" features of the framework might no longer work in some cases).
In order to prevent access to directories in your site you have to do one of the things you mentioned: either use web-server-level mechanisms such as .htaccess or move the directories outside the web root entirely.
That said, in many cases there is no explicit need for such security: by strictly limiting the pieces of code that can produce immediate effects (typically down to just one front controller that boots up the application) and making sure that data is contained inside PHP code (so that the web server will not reveal the contents of files) you effectively render direct access from the outside worthless.

Consolidate multiple site files into single location

We have a custom PHP/MySQL CMS running on Linux/Apache thats rolled out to multiple sites (20+) on the same server. Each site uses exactly the same CMS files with a few files for each site being customised.
The customised files for each site are:
/library/mysql_connect.php
/public_html/css/*
/public_html/ftparea/*
/public_html/images/*
There's also a couple of other random files inside /public_html/includes/ that are unique to each site. Other than this each site on the server uses the exact same files. Each site sitting within /home/username/. There is obviously a massive amount of replication here as each time we want to deploy a system update we need to update to each user account. Given the common site files are all stored in SVN it would make far more sense if we were able to simply commit to SVN and deploy to a single location direct from there. Unfortunately, making a major architecture change at this stage could be problematic. In my mind the ideal scenario would mean creating an account like /home/commonfiles/ and each site using these common files unless an account specific file exists, for example a request is made to /home/user/public_html/index.php but as this file doesnt exist the request is then redirected to /home/commonfiles/public_html/index.php. I know that generally this approach is possible, similar to how Zend Framework (and probably others) redirect all requests that dont match a specific file to index.php. I'm just not sure about how exactly to go about implementing it and whether its actually advisable. Would really welcome any input/ideas people have got.
EDIT AllenJB's comment reminded me that we have previously explored AliasMatch as a potential solution to this, we ended up with an general.conf file for a user that looked something like this:
php_admin_value open_basedir "/home/commonfi:/home/usertes:/usr/lib/php:/usr/local/lib/php:/tmp"
php_admin_value include_path "/home/commonfi"
AliasMatch (.*).php /home/commonfi/public_html/$1.php
AliasMatch (.*).html /home/commonfi/public_html/$1.html
You can set this up via the Apache configuration - you probably want Alias, but there are several options:
http://httpd.apache.org/docs/2.2/urlmapping.html
You certainly can build a "cascading" system as you describe (load local file, if that doesn't exist, load global file). The complexity is that the files are loaded in different ways (using include() in PHP, through the web, ... maybe even more ways?)
Filesystem includes
If the includes/ consist of files containing one PHP class each, you could use an autoloader like Zend Framework does. The autoloader would look first for a custom version of the include file, and if it doesn't find one, include the global version instead. I happen to have such an autoloader handy if you need code to start with.
If the includes don't match the one-class-per-file structure, you would have to build a custom include() function that fetches the local version of the file or, failing that, the global one.
Pseudo-code:
function fetch_path($name)
{
if (file_exists(LOCAL_DIRECTORY."/$name")) return LOCAL_DIRECTORY."/$name";
if (file_exists(GLOBAL_DIRECTORY."/$name")) return GLOBAL_DIRECTORY."/$name";
return false;
}
Web resources
The second part is going to be the web part (i.e. Web URLs with local or global files). I think this should be pretty easily solvable using the -f switch in a .htaccess file. You would build a rule that rewrites failed requests (!-f) to the local web resources directory (example.com/css/main_stylesheet.css) to the global one /home/commonfiles/public_html/main_stylesheet.css). You would need to fiddle around with Apache's server config to be able to rewrite local requests to the commonfiles directory, but it should be possible.
That is maybe worth a separate question.

Categories