I have a website wrote in PHP and running with WAMP server.
I am wondering if it's possible to access a file using a different URL of than original path??
Actually I have a file in X:/wamp/www/test/test2/index.php and I use localhost/test/test/index.php to access it. But can I create an alias or something to use localhost/index.php ?
One way to do this is via Apache's excellent ModRewrite.
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
Related
I've got a legacy PHP project to fix a thing or two. I've downloaded it via FileZilla and served it on my local machine with a local copy of the database. The project is exactly the same with the live one, yet the live one can open the url/contact.html but on my machine it says no such file is found. All other pages go for url/categories/ or url/products/ so I've tried altering the url but no use.
All the other pages within the site are simple: one .php controller one .php model and one .tpl smarty template view. Requiring no .html at all. But this one is somehow different. The .htaccess file is exactly the same as the live version. I've tried adding a rewrite rule to direct every .html to .php but didn't work. I'm lost and out of options, please help? It doesn't even have to be an answer,"Try looking into that" would work too.
I'm working via XAMPP on windows, and I've configured the https:// to http:// on my project but that's all. Even hidden files are checked and confirmed.
have checked that contact.html is a static file (like a real existing html file?)
is there some kind of "routing" within the PHP of the project? If there is route urls might be really anyware.. in the mysql database, redis, a json file and whatnot.. have seen them all.
try to debug where and how it works on the "production" server by using some logging to a file edit the file through filezilla and log to a 'mylog.log' file until you find out what is going on.. or if the site is not used all the time by clients - you can just try to echo stuff to figure out how this exact /contact.html works
I have a local version of Windows php to test my webpage. I run it using php.exe. It has a built-in webserver so pages can be accessed from a browser through localhost:/path.
If I enter an URL pointing to a file it opens that file in browser. I would like to configure it so that it shows the content of a directory if URL points to a directory. E.g. after inserting URL http://localhost:1234/foo/bar/ into the browser I would want to see the files in the bar directory listed in the browser. Similarly how other webservers do it when configured so.
My local PHP returns 404 instead.
Is there any way how to achieve that for this built-in webserver in php.exe? How?
The built-in server is specifically for quick development and debugging as stated in the command line server doc and directory listing is one of the features is lacks. This answer provides an example for building yours though.
I am working on an AJAX post from which needs to send data to a php file. This file is ONE located level above the domain root.
If my domain root is /root_general/root_domain/
The file php backend file is in /root_general/
I am trying to achieve this by using the dirname($_SERVER['DOCUMENT_ROOT']) url. But AJAX won't load the file, it tells me that the file wasn't found on this server. I am using Apache2 on Ubuntu and working with all permissions enabled.
How can I do it in other way? I need to put the file outside because it is supposed to be used by many different domains, and I think it wouldn't be clean to paste the same file inside every single domain root.
Edit: some code
When calling the file it's this way:
http[act].open('post',url,true);
You can't use AJAX to access files on the server. You can use it only to access URLs. So what you need to do is point an URL to that file you want to access. You can give it own domain, you can copy it a few times or you can have symlinks point to it.
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine.
My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.
Is this a legitimate concern?
If so how do people go about preventing this?
Not if your server is configured right. I think discussion on how that is done belongs on serverfault.
To add on to the other answers:
If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?
The most important advice is missing:
Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.
For example
root
- webroot
- includes
- config
Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).
Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.
This depends on the file extension you have given the include file.
If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.
If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.
A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.
Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.
Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:
Order allow,deny
Deny from all
This apparently protects the directory so that only local non web-access is possible.
This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.
Does anyone else use this method?
Just for good measure I've put the directory permissions to execute only.
And the include extension is PHP as suggested by others.
I recently saw a website in which the url was formulated like this:
http://subdomain.domain.com/script/?var=value
I was wondering how to do this in IIS, and how he put a slash in between the script and the GET variables, and how he had the script with no extension in the first place. Any help?
There are many ways to do this; I'll describe the simplest.
script is a folder containing a file called Default.aspx (or whatever is configured as the Default Document in IIS)
Therefore, when IIS sees a request to script/, it will send the request to Default.aspx, which then reads the query string.
Lack of filename defaults to the "index" entry, probably default.asp[x] there.
The best way to do it is with a URL Rewriter, like IIRF, or the built-in URL Rewriting module that's included with IIS7 and later.