I'd like to stop the user from directly accessing the files in a directory via their URL, but would still like to be able to use them inside a PHP program via include or require functions.
Mention the below line in your .htaccess file. It'll definitely solve your problem.
RewriteRule ^includes/ - [R=404,L,NC]
It is possible to put a .php file outside of the public_html folder. For example, if your public_html folder is at /my/domain/public_html/ you could put your PHP files in /my/domain/php_files/ and still access it from scripts within the public_html folder by using absolute or relative paths, but since it is outside of the public folder it will not be accessible over the web.
Keeping files outside of the public document folder is recommended best practice for configuration files etc. for security reasons.
<Files conf.inc.php>
order allow,deny
deny from all
</Files>
Related
How to deny direct access to website files if a user from out side want to open them with url but allow website files to access each other by include 'file.php' in php files.
I have a .htaccess file.Can I do this with this ?
You do this by having the PHP files outside of your webroot. Your scripts that actually need to be accessible need to be in or beneath your webroot. You typically see PHP projects these days that have a structure like this:
/projectname
/app
/src
/web
The use of composer for dependency/component library management is the state of the art these days and if you are using it it will create other directories like vendor.
So your front controller or other web accessible scripts go into projectname/web and this is what you set your webroot to.
Your other scripts go into the /projectname/src.
Your include/require statements need a filesystem path, so you can reference them either via relative addressing or using a full path.
Typically people will have a bootstrapping include or use a front controller (everything goes through index.php) where include paths are setup. With component libraries you also want your class loader to be instantiated to resolve any libraries you might be using in your project.
Again the use of composer is highly recommended and will generate your class loader for you, and then it's just a matter of making sure it is included.
This .htaccess-file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
I'm in a situation wherein I have file includes but I don't want other people going on the "includes" directory and viewing the pages individually via browser.
I'm quite familiar with how to approach it via inside the PHP files themselves but I want to use the .htaccess for preventing it this time.
So how do I configure .htaccess to prevent users NOT coming from a certain referrer from viewing the PHP files inside the "includes" folder?
.htaccess will work, but just to suggest an alternative - why not move your include directory outside the webroot? Your scripts can still access it, and there's no need to configure apache to deny access.
Put a .htaccess file in the directory you would like to not be viewed and put this in there:
order allow, deny
deny from all
This is the simple block all approach. More info on how to block by referer can be found here.
Hope this helps.
As lot of web hosting solutions explicitly limit you to working within the a public_html (or equiv) hierarchy. So I use a simple convention: if I don't want a file or directory to be private -- that is not accessible through a URI -- then I prefix its name with either a "_" or a ".", for example my PHP includes directory is called "_includes".
I use this pattern in my .htaccess files to enforce this:
SetEnvIf Request_URI "(^_|/_|^\.|/\.)" forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
You can use this approach, but modify the regexp to whatever suits your personal convention. One advantage is that it works with this template in your DOCROOT .htaccess file. You don't need to have .htaccess files in the restricted subdirectories.
:-)
Is it possible to set the .htaccess file to deny all users but allow includes such as PHP functions or CSS?
Thanks
Yes, that's one of the most popular uses of the .htaccess file. Set up .htaccess to deny all. Nobody can download the pages in that directory, but you can include php files from this directory in your other directories. You can't really host css files in the directory and then deny all, because the user has to download these directly. Same goes for images and javascript files. Basically, anything the client has to read shouldn't go in a "deny-all" directory, but stuff that only needs to be read by the server, like php includes are fine.
If you don't want something to be downloadable, then don't put it into a public-facing directory. Put those files in a different directory outside the webroot.
This way they don't get exposed if the .htaccess gets disabled somehow.
On .htaccess how would I be able to disallow PHP files from accessing anything outside their directory, without using open_basebdir()?
Basically I'm going to generate .htaccess files into some dynamically created sub directories that cannot interact outside of themselves.
EDIT: Sorry I meant accessing, not moving.
.htaccess files are for Apache, not PHP.
What you want to do sounds more like the job of a VirtualHost.
php doesn't even know about the existence of your .htaccess files, so they can't avoid any script from moving any file
Something like this?
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from #Root dir of your php file
</FilesMatch>
Looking some frameworks like Code Igniter I see they use a "defined" check on the syspath to prevent users opening the files from the subfolders, and also an index.html placed on every folder.
Can't I just use a mod_rewrite and get rid of these checks?
Is the mod_rewrite enough to let the users access only the index.php of the entire application?
You can move all the files for your application out of the web root and only have those files there that should be accessible by users.
Place all non-accessible files in folders and then put a new .htaccess file in each folder containing:
order deny,allow
deny from all
This will prevent HTTP access to those folders in Apache (other servers will have equiv. options). We use this to prevent access to incldue/, which contains the libs, static config etc.