So, all I'm attempting to do with this .htaccess file is prevent anybody that isn't the server from being able to view the file e-mails.txt. The server needs access to it for a php script(using fopen). Everything I've read says this should work, but this is preventing any file in the directory, and subdirectories from what I can tell, from being accessible.
<Files e-mails.txt>
Order deny, allow
Deny from all
</Files>
Also, before when .htaccess was similar, it wasn't blocking the entire directory, but it was preventing the .php script to function properly, which is what caused me to delete it, which fixed the .php script but let e-mails.txt be visible to everyone. So then, when I re-created it and used the above code, the entire site/directory is spitting out a 500 error.
May be, you can write a rewrite condition for this file to 404 or 500 error page. This method render impossible access over http.
Related
I am creating a website with my own CMS. My problem is that I can access certain files via a URL in the browser.
I have tried to block it via .htaccess but when I do that, it also stops my functions from working, because they are blocked.
Does anyone know a solution for my problem?
Are your functions in a server side script or a client side script?
If they're server side, you can block HTTP access to the files by putting them in a directory that doesn't need to be accessed through HTTP and then putting a deny from all directive in that directory's htaccess file.
If they're client side, then you can't block access to them and still have the scripts work. The browser is executing the script, and it needs to access those files. You can do hacky things like refusing to serve the file unless a certain referrer URL is present, but I advise against doing that because it can cause problems with usability, caching, and search engines.
Add line at the end of .htaccess
Options All -Indexes
or Use
<FilesMatch "*\.(css|js|png)$">
Order Allow,Deny
Allow from all
</FilesMatch>
I'm building a site that uses many files,many of which should never be accessed via the browser. For example there's a mysql_conect script that every MYSQL query page users, but if the user were to navigate directly to that page via URL(example.php/mysqlconnect.php) the screen would return blank..How can I make it that the browser returns a 401 permission error when the user attempts to access these files directly?
There is no need to do that. Unless you echo the values, you're safe.
PHP wont render in the browser unless told to do so. Many (all) scripts do what you're explaining.
As #Paul says, there is no need to do that, the user will never see the content of the php file if he points the browser to example.php/mysqlconnect.php, but if you want you can drop a .htaccess file in the same directory where the mysql_connect.php script is with the following content:
<Files mysql_connect.php>
order allow,deny
deny from all
</Files>
Or if you want to restrict access to the whole directory the content of the .htaccess file needs to be:
deny from all
Or
Options All -Indexes
You can see more configuration options in .htaccess files here:
Htaccess tricks
in particular situation you can place your file wherever you want and add the following code to your file
if(basename($_SERVER['PHP_SELF']) == 'mysqlconnect.php')
header('HTTP/1.1 401 Unauthorized');
exit;
so if the file is requested directly, it will return 401 status code and exit.
I have a login page for my website. In the php script of this page, I have connection.inc which includes mysql connection data. I am aware that this is not secure as anyone can access it by going to www.example.com/connection.inc.
I have added .htacess to the root folder with
<Files ~ "\.inc$">
Order allow,deny
Deny from all
Satisfy all
</Files>
in it.
Now when i go to www.example.com/connection.inc it now comes up with error 403:forbidden.
Is this now highly secured. i.e can no-one now access this information?
If you changed the extension from .inc to .php then you have less risk. If they access the connection.php file from the browser, they will just get served a blank page.
If someone accidentally deletes the .htaccess file, or it became inactive for some reason, it no longer will deny access to the file.
On the flip side, the same can happen with PHP. If someone messes up the server configuration and .php files aren't handled by the PHP engine, they will be output usually as text or octet/stream and the full source will be served.
Bottom line, you are probably safe using your .htaccess method, but if you can, just change the extension to .php and then you can skip the .htaccess for that completely. You can still include the connection.php just as you do the .inc.
Also, your MySQL user is probably only allowed to connect to the server from localhost. If that is the case, even if I knew your username and password, I couldn't connect because I am not coming from the right host. Additionally, it is possible that MySQL is not listening for connections on all addresses, and possibly only on localhost, but that depends on how it is set up.
I have a processing file for my website's payments. It works just fine, but what I would like to do is log all the requests to this page so that if anything throws an error, the raw data is saved and I can process the transaction manually. The processing file uses fopen to write to the log file in another directory.
What I have right now is a separate folder on my root directory with permissions 755. Then a log file inside with permissions 777. The processing file that writes to the log file, in PHP if that matters, is set to 777.
This works right now, but the log file is publicly available. I know I can be doing this better and that the permissions aren't correct. How can I do this better?
Put the log file outside the document root. The PHP script that writes to it will still be able to get to it (via the full path) but Apache won't be able to serve it.
I came across this whilst searching the answer for myself. I don't believe there is a simple "permissions fix" to do what you want and perhaps the safest way is to put the log files outside of public_html directory.
However this can be a nuisance sometimes - especially if you are wanting to e.g. catch paypal ipn dump text in a log file, but not have it publicly accessible.
In such cases, you can use .htaccess file directives to allow write from script, but deny reading from public access.
For example, this works for me (Apache .htaccess in root public_html folder);
<FilesMatch "mycustom\.log">
Order allow,deny
Deny from all
</FilesMatch>
and if you have multiple logs you want to protect, use it like this, with "Pipe Separated";
<FilesMatch "mycustom\.log|ipn_errors\.log">
Order allow,deny
Deny from all
</FilesMatch>
It is worth noting that the above directives are deprecated as of apache 2.4 and you may wish to consider using more current directives instead: https://httpd.apache.org/docs/2.4/howto/access.html
Hope that helps you!
Last night I made some admin changes to my webserver. I use php. The php processor failed after the update and if someone went to my homepage, the php page would simply download and show the proprietary code and password to anyone visiting. So I was wondering if there is a way to prevent any form of download for php files using .htaccess -- but still allow for normal viewing of the files.
A good pattern to follow during development is to use a minimal initialization file, which invokes the actual application which resides outside the webroot. That way only a minimal stub with no critical information is exposed in a case like this.
Simplified example:
/
/app
critical_code.php
/webroot
.htaccess <- rewrites all requests to index.php
index.php <- invokes ../app/critical_code.php (or other files as requested)
The trouble here is that either .htaccess is serving your files to the user or it's not. You can't tell it to deny access to the .php files, because then access will be denied during normal use, as well. There is no fallback behavior for the PHP processor simply not running correctly.
Maybe it's worth temporarily moving the web root to point to an "under maintenance" site when doing big things like that, to minimize risk as much as possible.
Assuming you're using Apache, your .htaccess file would look something like this.
<FilesMatch ".*\.php">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
<IfModule php5_module>
<FilesMatch ".*\.php">
Allow from all
Satisfy All
</FilesMatch>
</IfModule>
The first rule denies access to all .php files. By default, the user will see a 403 (Forbidden) error.
If the PHP5 module successfully loads, the second rule will take affect, which grants access.