Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
The hosting I am using allows protecting files with username and password. Will it "break" something if I put password on a file that is included or required in many php pages of my site?
Assuming this is HTTP authentication, this provides no password protection on the filesystem so including files from the filesystem will not be affected. This also does not prevent files from being read from the filesystem by other users if they have the permissions to do so.
This will only display a password prompt to users who access the file path from the web server (http://)
If you actually have private files that you wish only to be included from your PHP script, then you can keep them out of the public_html (or web server root directory) completely.
for example:
app/private.php
public_html/index.php
Inside index.php:
<?php
include "../app/private.php";
/* Other code */
?>
As app is outside the public_html directory, it will not be able to be served by the web server, but you can still include it from the filesystem.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 hour ago.
Improve this question
In shared hosting, I installed all laravel application files in the root folder (public_html). But also I deny the .env file via htaccess.
So is denying the .env file via htaccess enough for application security?
Do I have to install the app at the same directory level of public_html and do i have to create a symlink?
Thanks!
So is denying the .env file via htaccess enough for application security?
No.
Examples of where this would not be sufficient:
Someone could access files like storage/logs/laravel.log and see potentially sensitive information.
Misconfiguring/breaking PHP on the server would permit users to browse your PHP files as plain text, potentially revealing the entirety of your source code.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I just program a website with in the server a directory called "/src/PDF/" where all of my PDF documents are stored.
Actually I simply make a
<iframe class="mx-auto w-100" src="./src/PDF/mypdf.pdf#toolbar=0"></iframe>
to diplay it to the user, but any user can follow the link to "./src/PDF/" and access to all of my website's PDF !
You have to know that my website use account to access to the documents, so if you are a subscriber to the website or you acquired the PDF by unit, you can see it, if not you have a page to connect, subscribe or acquir it individually.
I heared about .htaccess but I didn't find any formation to program .htaccess propely for my case.
Can a charitable soul come to my aid?
Thank you very much for your time !
You have few options:
A) You put an index.html/index.php file in the directory. This could even be just a blank file. That way they don't see a directory listing.
B) You disable directory listing in your web server configuration, for Apache you can do this in an .htaccess file. Simply put in, or create an .htaccess file in src/PDF/ with:
Options -Indexes
With either of these options however nothing will stop anyone from just guessing a name of a PDF file, or someone giving them a link to view it.
I would at the very least move the PDF files to a directly that cannot be accessed publicly (ie: before your public_html) and then use random file names and reference the actual name of the document from a database. Then send the PDF to the browser through a PHP script where only authenticated users can see it.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
In which diretory should script files for cronjobs be saved? Available to the public inside var/www/html or better inside var/www/files or ...?
Re-posting comments from above, for easier reference and clarity:
Why would you want to make cronjob script files available to the public? If you're distributing them, var/www/* would be a fine place to put them. If you're intending to run them on your server, put them somewhere that isn't public facing, like your /home directory
Cron only needs its scripts to be in a directory it can access. While it can definitely access /var/www/, so can (potentially) the public; it depends on your configuration. If you're running Apache as your web-server, then accessibility of any directory under the web root (usually, and likely in this case, /var/www) is configured by .htaccess files (or in a Directory block in your main server config). By default, all sub-directories and files are accessible. If you don't care about other people seeing your cron scripts, go ahead and put it in var/www. Otherwise, put them somewhere else or change your server configuration
The best way to do that you want, is create a new directory dedicated to save the scripts, for example, /var/www/html/scripts
In that way, people is able to see the the sctipts and for crontab schedule too.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
Over the past, i've seen a cpanel account (with addon domains) getting infected from an outdated wordpress installation and spreading itself to other domains since all addon domains were included under public_html folder.
ie.
/home/user/public_html/domain1.com
/home/user/public_html/domain2.com
I know that this can be prevented by purchasing a reseller cpanel account and have seperated cpanel accounts for every domain, ie:
domain1: /home/user1/public_html/
domain2: /home/user2/public_html/
I was wondering if a php infection can be spread when the directory tree is as follows:
/home/user/domain1.com/public_html/
/home/user/domain2.com/public_html/
both domains got the same user but they are not sharing the same public_html folder, however they are sharing the same user.
Can an infection from /home/user/domain1.com/public_html/ take advantage of the user permissions and files ownage to be spreaded/copied to /home/user/domain2.com/public_html/
??
Yes, there only thing special about the public_html directory is that is the root directory the web server is using to serve files from. But as far as the file system on the server is concerned, it is all the same.
The problem is not with public_html, but rather file and directory permissions. A file run inside of the "public_html" directory can still access files in it's parents directory
If the server that is hosting cpanel gives you the ability to remotely add files to a directory inside of /home/user1, then your PHP files will also have access to it.
With PHP you can disable built in functions to chmod, and the ability to run shell commands which will prevent a PHP script from changing the permissions of files/directories, which may be worth looking at. But in general it's better to isolate each site from each other to limit potential security vulnerabilities
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm concerned about security. I need to allow a specific group of users to upload documents and for all other users to download them.
Where or what folder is the best place to allow this to happen? I read that outside the root of the site is best but then I've read conflicting posts.
Thanks for any help.
It all depends what you need to be able to do with them once they are uploaded.
Outside the web root is definitely best but if you then need to be able to show those files on webpages, you will need to write a handler or just save them inside the webroot.
Ideally you should never allow untrusted users to upload any file to a server and should certainly never allow untrusted users to upload files into a webroot as they could then use your server to spread malware or upload files that can be executed on the server and take control of your server or site.
You should always ensure that the minimum number of file types possible are allowed for upload so if a user is uploading an image, make sure they can only upload images
I generally save files to a folder outside the web root (note, not just outside my site root, but outside of the actual web root directory). You only asked for advice on where best to store the files, but presumably you are taking other steps to make the uploaded files secure (like, changing the name of the file, changing the permissions on the file, etc). Good luck!