I've been using codeigniter for a few months, and for my first couple projects I've just put all the files in the root. It's working okay that way, but a reading of the manual suggests for security reasons the system and application files should be moved--while index.php should be in the root.
I'm starting a new project, going back and reading the directions again, and trying to do exactly what they say to do this time. However, I'm having trouble understanding the following instructions, given in this page of the manual:
"Install the CodeIgniter folders and files to your server. Normally the index.php file will be at your root."
"For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser."
So, reading this, I don't really understand exactly where I am supposed to put the files. Currently, as unzipped, it's a folder I've called codeigniter, with the all the ci files: system, application, user guide, index.php etc.
So my new Web site currently has this structure:
--www.mywebsite.com
------Public
Should I make it this?
--www.mywebsite.com
-----codeigniter
--------application
--------system
--------assets
--------user manual
-----------Public
______________index.php
So basically only index.php would be in my root? (And maybe assets and user manual if I want?)
I did read somewhere that if I move system and application files I need to change their path--that should be easy enough, but I want to make sure I am correctly understanding what the ci manual is suggesting before I invest all the time in making the new setup work properly.
Any help would be much appreciated!
you can do something like this
www.mywebsite.com (folder where its located/root) - (Ex: If AWS - /opt/webapps/mysite/)
other
- application
- system
- assets
index.php
.htaccess <-- mainly to remove index.php from URL and other stuffs as well
then in index.php (on root)
$system_path = 'other/system'; # Line 100
$application_folder = 'other/application'; # Line 117
When calling CSS/JS/Images on assets folder
<link rel="stylesheet" type="text/css" href="<?php echo base_url()?>other/assets/boostrap.css">
Hence you can revoke permission to System folder with the help of .htaccess. (They(Codeigniter Team) already did that). If you open system folder there is file called .htaccess. Open it you can see something like this
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>
What I suggest you to do from security
Set base_url() correctly
Use Codeigniter Input methods. (to prevent injections. read more on this)
Resources of links
Security - Codeigniter.com
Some more about Security - tutorialspoint.com
Related
I have been reading on how to protect my .php includes. The main suggested option is to place the .php files I want to protect outside the folder that serves the .php files which is /public_html in my case.
So, I decided to make a folder named /includes and I access my .php includes from the /public_html .php files like ../includes/file.php. This works nicely but I am being a bit paranoid.
Can I go ahead and add an .htaccess with the following line on /includes:
Deny from all
I know the user is not supposed to access the /includes in my case. Though, would that .htaccess file in /includes hurt me in any case?
Thank you.
A really good way is to have a front controller (FC) manage all of your resource requests, and htaccess to route everything to the FC.
Then if someone tries to access something on your site it'll be routed through FC. It will in turn call a router which should only allow loading of files this way which are in a specific directory.
So attempting to navigate to (eg) includes/someScript.php wont work because FC wont route a web request into the includes dir.
This won't affect your requiring them within PHP files as this request wont go through the FC.
I'm very new to php and web , now I'm learning about oop in php and how to divide my program into classes each in .php file. before now all I know about php program, that I may have these files into my root folder
home.php
about.php
products.php
contact.php
So, whenever the client requests any of that in the browser
http://www.example.com/home.php
http://www.example.com/about.php
http://www.example.com/products.php
http://www.example.com/contact.php
No problem, the files will output the proper page to the client.
Now, I have a problem. I also have files like these in the root folder
class1.php
class2.php
resources/myFunctions.php
resources/otherFunctions.php
how to prevent the user from requesting these files by typing something like this in the browser ?
http://www.example.com/resources/myFunctions.php
The ways that I have been thinking of is by adding this line on top of every file of them exit;
Or, I know there is something called .htaccess that is an Apache configuration file that effect the way that the Apache works.
What do real life applications do to solve this problem ?
You would indeed use whatever server side configuration options are available to you.
Depending on how your hosting is set up you could either modify the include path for PHP (http://php.net/manual/en/ini.core.php#ini.include-path) or restricting the various documents/directories to specific hosts/subnets/no access in the Apache site configuration (https://httpd.apache.org/docs/2.4/howto/access.html).
If you are on shared hosting, this level of lock down isn't usually possible, so you are stuck with using the Apache rewrite rules using a combination of a easy to handle file naming convention (ie, classFoo.inc.php and classBar.inc.php), the .htaccess file and using the FilesMatch directive to block access to *.inc.php - http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess/
FWIW all else being equal the Apache foundation says it is better/more efficient to do it in server side config vs. using .htaccess IF that option is available to you.
A real-life application often uses a so-called public/ or webroot/ folder in the root of the project where all files to be requested over the web reside in.
This .htaccess file then forwards all HTTP requests to this folder with internal URL rewrites like the following:
RewriteRule ^$ webroot/ [L] # match either nothing (www.mydomain.com)
RewriteRule ^(.*)$ webroot/$1 [L] # or anything else (www.mydomain.com/home.php)
.htaccess uses regular expressions to match the request URI (everything in the URL after the hostname) and prepends that with webroot/, in this example.
www.mydomain.com/home.php becomes www.mydomain.com/webroot/home.php,
www.mydomain.com/folder/file.php becomes www.mydomain.com/webroot/folder/file.php
Note: this will not be visible in the url in the browser.
When configured properly, all files that are placed outside of this folder can not be accessed by a regular HTTP request. Your application however (your php scripts), can still access those private files, because PHP runs on your server, so it has filesystem access to those files.
Every sub directory inside the directories 'application' and 'system' in my codeingiter web application has an index.html file. Inside this HTML file there is what looks to be a standard error message. It contains this code:
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>
I assume these are created so that if anyone tried to visit a directory inside either 'application' or 'system' it wouldn't list all the files, but would instead show an error.
These seem redundant though as I have added an .htaccess in each directory to deny all access. Every PHP file in those two directories also has the first line:
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Which should mean that no one can view any of those files at all (as I am protected once by the .htaccess and once by that line of PHP).
Therefore my question is - in the interest of keeping my web application organised and clutter free, can I safely remove these index.html files? Will this cause any bad side effects to my codeigniter web application?
Thanks in advance
Yes, you can remove them.
but even if you have proper rights in place, you should have them there. as they are there on only purpose, in case, you forgot to implement proper directory browsing rights
as far as you set your .htaccess file,, which is not redirecting towards or have no relation with your index.html file, you are safe (and no use to keep) to remove your index.html. But you should be careful. index.html can help in case if you fail with your .htaccess
In general You can remove those index.html files but you need to be sure that directory index is disabled in you web server configuration.
For Apache web server you can use Options -Indexes either in global configuration or in .htaccess files like this:
<Directory /wwwdata/ >
#disable directory index
Options -Indexes
#other options ...
</Directory>
Those index.html files in CodeIgniter prevent (in any case) directory listing wich can lead to serious security flow.
While I agree that a .htaccess and the basepath condition checks are good enough, I do not really think that having two html files in two directories really clutters anything. You can never be careful enough when putting things on the web, and the CodeIgniter guys sure would have thought about it before adding it.
I really do not see any value addition removing them, but if that is what you want to do go ahead.
But I suggest keeping index.html as well. Keeping index.html wont harm your application but sure it do some sort of protection.
If you say that you have forbidden access to the directory with .htaccess then you can safely remove them and let your worries go away!
But in case the directory is used by PHP script for some reasons and puts something in those directories and then provides a link to a user, just for example, than it will not work properly and you will have to remove your .htaccess restrictions.
I would just recommend to leave just a blank index.html and when a user reaches the directory there will be just a blank page displayed.
Or you could force a user to be redirected to the main page with index.php, for example:
<?php
header("Location: ../");
?>
I have an idea that will allow a Web Forums Content/Threads to be better indexed by search engines but avoid taking up too much unnecessary space on the web server.
My idea is not unique(I think StackOverflow uses it) but I am having difficulty working out how I am going to achieve redirecting through .htaccess commands or main server configuration files.
For a web forum website; when a new thread is created:
I store the thread HTML in an SQL database(rather than creating a HTML file which I think will take up more server space - is that correct?).
I create a directory on the server where the directory's name is the threads name(this will allow for easier indexing from google & other search engines wont it? Because the url is more descriptive?). So www.myForum.com/posts/unique_thread_name/. I think this is how StackOverflow does this, if you look at the url of my question its a directory.
The new directory(thread directory) will be empty except for a .htaccess file which will redirect to a script www.myForum.com/cgi-bin/loadWebpage.py. This script will grab the thread's HTML from the database when accessed & display that thread.
So when someone accesses www.myForum.com/posts/unique_thread_name/, the .htaccess file will redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=unique_thread_name. Notice the arguments, is it possible for a .htaccess file to redirect to a script but pass arguments aswell?
My Questions:
The apache website says you should never use .htaccess files "In general, you should never use .htaccess files unless you don't have access to the main server configuration file.". If I am using a webhost like GoDaddy do I have access to this file or is this server config file only for VPS?
Is it better to do this with the Server Config file instead?
Is there a way easier way of doing this? The whole idea is to store Forum Threads that take up as little space as possible but are still easy for search engines to index(thus the unique directories created).
Do I NOT need to create a .htaccess file in each post directory? Can I just write in my main .htaccess file that any request to a file/folder in posts should redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=the directory they accessed?
Maybe the code would look something like this?
Redirect /posts/* www.myForum.com/cgi-bin/loadWebpage.py?thread="HOW DO I SPECIFY THE FOLDER?"
If I am using a webhost like GoDaddy do I have access to this file or is this server config file only for VPS?
Godaddy shared hosting only allows .htaccess use.
Is it better to do this with the Server Config file instead?
Its better performing if you have access to Server Config, but shared hosting like Godaddy does not allow it.
Do I NOT need to create a .htaccess file in each post directory? Can I just write in my main .htaccess file that any request to a file/folder in posts should redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=the directory they accessed?
You can do it with a single .htaccess in the root dir of your site with contents as below
RewriteEngine on
RewriteBase /
RewriteRule ^posts/(.+)/$ /cgi-bin/loadWebpage.py?thread=$1 [NC,L]
I want to make it impossible for users to access a certain scripts running on my server.
The best way i can explain this is by explaining a brief description of how the root level of the website works.
ROOT contains 4 scripts:
index.php
home.php
error.php
results.php
In the index file, i have included and directed the user to these 3 files, on certain instances.
Now, this causes a bit of a problem, as the index file includes the neccessary controllers and any addittional scripts before the new script is included and the users' point of view changes to the new "webpage". I have done this as it provides a very quick experiance for the user, as in the the page load times have become very low.
Now these files have been set with the robots no index meta, and are removed from the sitemap. I want to go one step further, and make it impossible for users to access these scripts direcly, as in by typing http://www.mysite.com/results.php
This is because if they do they are greeted with an ugly, unfuctional page that has not had the layout variables, or main css stylesheet defined.
Here is a brief outline of index.php:
<?php
ob_start();
$activeHome = 'active';
require_once $_SERVER['DOCUMENT_ROOT'] . '/../../includes/config.php';
require_once($docRoot . '/includes/layout.php');
...
include 'home.php';
?>
This script includes any code that configures the 3 other scripts. as in
if (isset($_GET['register']))
{
header('Location: http://www.mysite.com/register/');
exit();
}
And here is the same for home/results/error.php
<?php
....
echo $head1 . $pageDetails . $head2 . $header . $pageContent . $footer;
exit;
?>
In these scripts all of the varibles except for pageDetails and pageContent are defined in the layout script, along with the main css file.
So as you can see by the setup of this website, i do not have very many options left, unless to restrict these pages by a php function which i presume would be fairly complex and more than likely over my head... I assume it would involve heavy use of global or session variables, which is not something i am all to keen about. An easier way, i thought, would be to do this via the htaccess file. But i am not all that knowlegable when it comes to htaccess commands, and i am not so sure if this is even possible going that route.
Would anyone with a bit more knowledge on something like this, like to offer their opinion or any input or advice?
You have two choices.
1. Move the files outside of the web root - This logically makes more sense. If the files aren't meant to be accessed by the web server they should be outside of the web root. This would be the preferred method as long as you (and the web server's user and group) have access to the directory that contains your php scripts. It is also more preferable because you don't need Apache specific (or even mod_rewrite specific) .htaccess rules so this will be portable to most other server flavors. A sample directory structure might looks like this:
/
/www
/index.php
/includes
/home.php
/error.php
/results.php
Just make sure that your webserver's user has access to www and includes and your webserver configuration allows you to work outside of your web root (most apache configurations only allow you to work within it).
2. Add htaccess rules to prevent those from being accessed - This is less preferable. If you want to be stubborn or you have a legitimate reason for keeping the files in your web root, this would be the way to do it on Apache.
RewriteEngine On
RewriteRule ^(home.php|error.php|results.php)$ - [L]
To prevent users from accessing /register/register.php:
RewriteEngine On
RewriteRule ^register/register.php$ - [L]
If a file should be accessed only from another script, and not directly via HTTP, then don't keep it under the HTTP server's root directory.