I have a website that is written in four different languages (written in PHP). For every page I need to go through an index.php file. Is it allowed to have an index.php file inside every language folder?
How can I configure it in the .htaccess file? Because when I put it online I get an error saying
You don't have permission to access /de/index.php on this server.
There is also an index.php file in the root
Thanks for your help !
Related
I'd like to know how i can go about denying direct web access to configuration files of application whilst allowing php to access them.
I know most answers would suggest to put the includes outside the public_html directory. But I really don't think it's that efficient.
Thanks.
PHP just uses the file system to access files where web users usually go through apache and that verifies a .htaccess file. So just place that file that contains deny from all into that directory and voilla.
I am developing a website for myself and I just wonder how can I prevent direct access to include files like header.php and footer.php. Those files should only be incorporated in pages like index.php or other pages wherein they will be called using <?php include(''); ?>. Should I do it through PHP? How about editing the .htaccess file or are there any other methods?
place the files(s) in a directory out side the web root.
the web server will never serve theses files to users.
php et.al. can still access the files via include\require etc
This has been the gold standard approach for several decades.
I offered 3 suggestions and since you didn't provide much to go one, I will give you one elaboration.
As #Dragon eludes to, when you use include() your reading via the file system and not via a HTTP Request. You can check for an HTTP verb ($_REQUEST, $_GET, $_POST) and refuse to show content or fake a 401.
<?php
if(isset($_REQUEST) || isset($_GET) || isset($_POST)){
header("HTTP/1.0 404 Not Found");
die();
}
// Do the needed
?>
I will let you figure out the gotcha on your own here.
It would be perfect if your server is linux, because then what you can do is follow Dagon's suggestion of placing the files to include outside of the web root.
The web root of course is the base folder that contains files the outside world is meant to access. On many systems, this is the public_html folder.
On a system with WHM/cpanel installed, you might have a special user account where the root of that account (where anything can be stored) is located at /home/user on the entire system. This can be viewed by using the file manager utility included with cpanel when logged in. In that /home/user folder, you may find configuration files and folders starting with a period as well as public_ftp and public_html folders.
In the /home/user folder, you can place the PHP files you don't want the world to directly access. Then In public_html, (accessible within /home/user) you can place the index.php file that has the include statement to the "protected" files. That way in index.php you can use this statement:
include "../file-to-include.php";
Just make sure that the administrator has set the owner of the /home/user folder to the same username you login with or you may get access denied messages when trying to access the file. On a decent cpanel setup, the last step would have already been done for you.
I have different folders in the site I am making.
What if the user tries to enter that folder, How would I not let them see what's inside?
Or can I redirect them into another page saying that they don't have the permission to access the folder/ invalid url?
I read something about htaccess but I dunno how that one works.
I am currently doing some trick (like adding index.php in the folders with a message saying they don't have permission to access) to every folder.
But it's kind of a pain. And I believe there's an easier method.
It depends on the contents of the folders:
If it contains php or configuration files that are never to be opened directly (or anything else that never needs to be requested directly by the browser), you should not put them in the web-root;
If it contains assets that are included in html but you do not want the visitor to browse the directory, you should configure your web-server so that directory browsing is disabled;
If only certain logged-in users should be able to open certain files, you should handle that in the file itself, not on the directory level.
If you cannot move your directory out of the web-root but nothing in it needs to be accessible by the browser, you can put an .htaccess file in that directory with just the following contents:
deny from all
This is something you should accomplish on a server level.
Basically restraining access to these folders on UNIX (chmod -r) for example will take care of this for you.
I'm building a webpage which has a page allowing users to log in, called login.php. This page is located in the same root directory as my index.html page. When I open up index.html and go to click on the login link, I get this error message:
Fatal error: Unknown: Failed opening required '/websites/testsite.com/www/login.php' (include_path='.:/usr/share/pear') in Unknown on line 0
I have no idea why this isn't working because my index page (and every other page that I have made thus far) links to that same login.php page, which exists in the same directory. Any advise?
If it helps, I'm running Arch Linux with Apache HTTPD 2.2 and PHP 5.3.8. Thank you!
EDIT:
I forgot to mention some extra information. Since I'm working on this website with another person, we each have "local" copies of this website in our user directories. (I say local, but it's really our user directories on the same server which is hosting the public version of this website). Apache is set up to allow user directories (http://thisismytestwebsite.com/~myusername), which is how we view our "local" copies. When I go to click on the login link, the page loads up fine. Everything that we have is backed up using Git, and everything that we have is synchronized properly (we just checked).
Check if the file you're trying to open exists, and that the path is an absolute path.
It's fairly easy to generate a relative path from one file to another:
dirname(__FILE__) . "/../include.php";
Will include the file 'include.php' from one folder up from where the current file is.
__FILE__ is a magic PHP constant, use it!
Probably the apache process is blocked from reading the index.php file due to file system permissions.
Try to adjust permissions (chmod) and ownership (chown) of the file according to your working index.html
Any help on this would be greatly appreciated:
I have a website running with php on IIS6 IIS7. I am protecting all the .php files by starting a session. The .php pages can only be accessed if the session is started by logging in through the login.php page
All my .php files are in the following directory (using as example):
home/dir
Is it possible to use php and .htaccess to protect all files in the following directory:
home/dir/files
The files in this directory are word files, pdf's and other files types.
Once the user has logged in through login.php I don't want them to have to retype their username and password when trying to access home/dir/files
I hope that I made sense. Thank you.
In general, a good way to do this is to have the static files outside your website directory structure but still somewhere that the web server has permissions to access them. Then, since you're using PHP anyway, when a user requests a document, they would really be requesting a PHP page that checks the user's permissions then, if the user has adequate permissions, serves the file.
.htaccess are generally associated with Apache, not IIS, but see Is there a file-based equivalent to .htaccess in IIS6?
That said, perhaps you could put your files directory out of harms way and put it somewhere outside the document root. Then you can control download of each file through a PHP script which checks the authentication details.