How can I restrict PHP files from getting executed outside the application folder?
I am using CodeIgniter and I have heard it somewhere that this thing is possible in CodeIgniter.
Temporary, I have added request in htacess which will surpass each request from index file and will result in not found.
Add public folder, move index.php into it, inside index.php change application and system folder settings to ../application and ../system respectively. Point domain to public folder.
Related
I need some help.
I was reading the security recommendations of my hosting service and they say that ideally just put the
index file and files like css, js and img inside my root folder, and that all other files should be placed
off, that is, a level above.
I tried doing this in my tests, and I had some problems. The structure of the hosting folders is:
/
/htdocs
Inside /htdocs I put the index.php file and when accessing it through the url exemple.com/index.php works normally.
But putting other test files out of htdocs is what starts the problem. For example, if I have a file called contact.php
and I try to access it through the url exemple.com/contact.php I get the 404 error message.
So the question I have to ask is:
Is it possible to access url files that are outside of htdocs, or better to put all the files that will be accessed by the url inside
of htdocs and leave only configuration files outside this folder, like class, functions, database connection, etc?
And if it is possible to access the files by url, how would I rewrite these urls in htaccess?
and that all other files should be placed off
Yes, this is good practice. However, you're misunderstanding the implementation.
You can not directly access files outside the document root. But you can indirectly access them. I.e., the web server can't see them, but your programming code can.
Ideally, your site would use the front controller pattern. Here, your index.php file would serve every page of your app by intercepting every request and then routing it to the correct end point. I.e., you would never directly request /contact.php, you'd instead request /contact, which would get funneled to /index.php, which would load the required resources from outside the doc root.
I installed two codeigniter for desktop and mobile version. My directory structure is as follows:
www/projectfordesktop/application
www/projectfordesktop/uploads
www/projectfordesktop/projectformobile/application
My problem is that when I upload files from mobile site I want my file to be uploaded in main codeigniter application www/projectfordesktop/uploads. So, I want to access main codeigniter application base_url to www/projectfordesktop/projectformobile/. How is it possible.
I made two project because it redirect to m.project.com when accessed from mobile. And when access from desktop project.com. Is it good idea. If not, then is there any way I can use seperate view for mobile and desktop. Please help.
Thank you.
For security and a bunch of other reasons you absolutely do not want the upload folder in your application folder. And if at all possible you want your application folder and system folder above the public root. The other consideration - its possible and in some ways desirable to rename your application and system folder. So if your public folder is www
desktopapplication/www/
mobileappliction/www/
system306/www/
Now they are all safely above the public www, and they are labeled for what they are. Next you can have folders in the public folder, that contain the main index.php file for the specific application.
www/projectfordesktop/index.php
www/projectformobile/index.php
Open up the index.php file and redo the file paths to the application and system folder. Like
$system_path = '../../system306';
$application_folder = '../../desktopapplication';
The upload folder will now be either in www or one of the folders like projectfordesktop. Typically you would also put your css, js, etc files in there as well.
www/projectfordesktop/upload/
www/projectfordesktop/css/
www/projectfordesktop/js/
www/projectfordesktop/img/
Now - all the files which are public - are in a public folder. All the files which should be kept private - your application and system folder - are not public. And because you have labeled your application and system folder it makes it much easier to switch to different versions or revert back if needed.
I have created an upload folder at the same level of app and storing uploaded files there. Now I need to access those file via browser so need to have an http:// based address.
First, am I doing right? What are Laravel 5.1's recommendation? Where should files be stored? If no recommendation then how do I get ULRs?
Store the files within your public folder create uploads folder and then you can simply access from there using asset() function like as
asset("uploads/your_file")
You can use Request::root() to get the root URL of your website and then simply use Request::root()."/uploads/your_file"
I have been working on a flat PHP code - No MVC.
It has 1 index file with a form containing a radio and a file upload option + calls fuctions from 2 other .php files containing functions, and after submitting - it upload the file, loads PHPExcel library, manipulates the Excel file and outputs a download link to the edited Excel file.
Is there a SAFE way to run this on CodeIgniter without any problems?
(with the functions and not objects - or maybe a comfortable way to change my code without too many syntax problems, with the encoded security the CodeIgniter uses, ect')
You absolutely can use your "flat" php code along side codeigniter. Codeigniter is configured to use an htaccess file to route all calls which are not directories in the root server path, or files in the root server path, to codeigniter's bootstrap file (called index.php by default). Therefore if you were to make a request to a directory in your root path that existed, your http server would follow that path instead of redirecting your traffic to codeigniter.
What you would want to do is include a directory in your webroot (same directory as codeigniter's index.php file) and call it something that does not conflict with any of your existing controllers (if you have a directory with the same name as a controller the controller will be ignored for the directory) and move your "flat" php code into this directory.
Example directory structure:
/application
/system
/.htaccess
/index.php
/flatphp/file1.php
/flatphp/file2.php
/flatphp/file3.php
This might be hard to explain but I am looking for the best method of having one or a group of config files so if I need to update something its a little easier to do.
I have wrote a PHP application that has a sub folder for the admin side off the root folder and includes folder that is sub folder off the root folder as well .(see below)
the include folder has database config files, loads common variables and so forth. the problem is the path for the admin files that call for the database connection are obviously different than the files in the root folder.
so I started this but now I wonder if there is a better method than the route I am going.
`if($adminfile=="yes")
{
require('../includes/database/connect.db.php');
}
else{
require('includes/database/connect.db.php');
}`
I would really appreciate some advice, should I scrap this idea and have 2 location for the config file? Part of me hates to include in all the standard code $adminfile="no" I keep thinking is there a better way.
How do others solve this problem?
Check the value of your include_path in php.ini or your local config (via .htaccess for apache is another way to do it. If you add the path to demo to the include_path setting, then:
include('includes/database/connect.db.php');
or
require_once('includes/database/connect.db.php');
Will work from any file or sub folder.
Another way to do this is to include a single bootstrap file that has all the settings (i.e. not just your database ones) in your scripts.
A better way to do this is to route all your requests through a Front Controller that does anythign setup/teardown you need on every request. See PHP Front Controllers
you can define a constant in every file ... which defines the root folder you have
define('root', 'demo/');
and do
require(root.'includes/database/connect.db.php');
and this will work fine with any file you want to require