I have a problem with Codeigniters Security.
My Codeigniter Installation has the Application Folder, System Folder and a Assets Folder.
In my Assets Folder there is a Third Party PHP Script.
I want to Call this Script: DOMAIN/assets/FOLDEROFEXTERNALSCRIPT/EXTERNALPHPSCRIPT.php
Is there a option that i can call this File over the URL without a Controller?
I hope you have removed index.php from your url's which is done by either adding the below rewrite rules in the .htaccess file at your DOMAIN root directory, or by adding these rewrite rules in the virtual hosts.
Below rule means, to rewrite every url to index.php?params except if the current url contains "index.php or assets in it", now you can put any static content or even core PHP scripts in this folder to be access directly, with having CI in picture.
In your .htaccess file just add "assets" folder in the bypass rule, along with index.php
RewriteEngine on
RewriteCond $1 ^!(index\.php|assets)
RewriteRule ^(.*)$ /index.php?$1 [L,QSA]
Related
I have a cake PHP project in which I need to put a php file in root folder like 'faq.php' and link it somewhere in the project. But as soon as I point to the url it redirects me to the index page. I don't want to dig deeper just want to add an static link. Here is my .htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>
If you want to add any non-Cake content that needs to be accessed via the web browser in CakePHP you need to put it in the webroot folder as Cake's htaccess setup rewrites all other URLs. (If you're using the older CakePHP 2 the webroot folder is in app).
You need to put it in the app/webroot directory.
You can put any php and call it from wherever you want.
In your Templates Dir you will have an Element Dir - in there create a FAQ dir and in the FAQ dir create a file called faq.ctp.
Then in the faq.ctp just drop in your php code, same as you would if writing in raw.
To call you can just call the element from whichever model you are in like so:
<?= $this->Element('FAQ/faq') ?>
I've been trying to change my CodeIgniter file structure to make it safer and cleaner but I can't get it to work. I want to separate the application/system and the public files that are going to be visible to users.
- application
- system
- public
It works but I have to enter
example.com/public/index.php or example.com/public/controller
I want to be able to just type the base URL like example.com/controller.
How can I do it?
For CodeIgniter 3.x, the correct way to approach this (at this point in 2018 and after) is as follows:
Make a public folder in your root folder
MOVE your index.php file into this folder (to prevent ambiguity)
inside the moved index.php file, change the following:
change $system_path to ../system
change $application_folder to ../application
Now, we need an .htaccess file, but CI 3.x doesn't have a .htaccess file by default, soo.. how about stealing it from CI 4.x which has it by default? You can find it here:
https://github.com/bcit-ci/CodeIgniter4/blob/develop/public/.htaccess
I recommend you NOT include the line SetEnv CI_ENVIRONMENT development - instead, define this in your apache or NGinx .conf file so the .htaccess file can work anywhere.
Finally, you'll meed to update your .conf file so that DOCUMENT_ROOT is set to the subfolder named public (or whatever you chose to name it). Then restart Apache/Nginx.
That should give you the same results, and be much more secure.
-- UPDATE --
I found that I had problems with the .htaccess file from CI 4, however suspect it's my system that's the problem. This simple version did work however:
RewriteEngine on
RewriteCond $1 !^(index\.php|assets|images|js|css|uploads|favicon.png)
RewriteCond %(REQUEST_FILENAME) !-f
RewriteCond %(REQUEST_FILENAME) !-d
RewriteRule ^(.*)$ ./index.php/$1 [L]
As per the CodeIgniter Installation Instructions...
/var/application/
/var/system/
/var/www/index.php
For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser. By default, .htaccess files are included in each folder to help prevent direct access, but it is best to remove them from public access entirely in case the web server configuration changes or doesn’t abide by the .htaccess.
Under my root web directory, I have this two files:
aboutus.php
about-us.php
Now going to this URL http://local.com/about-us.php will render the file about-us.php. If I will do the inverse, how can I dictate the .htaccess that whenever the URL above is access, the aboutus.php will be rendered?
If you have access to the whole server config, the most efficient way to do this is to use mod_alias. Unfortunately this needs to be done in VirtualHost config - which is only accessible if you got root access to that server.
Alias /about-us.php /full/local/path/to/aboutus.php
If you cannot edit the VirtualHost config, use mod_rewrite (needs more server resources though, as every request has to be matched to those rules):
RewriteEngine On
RewriteRule ^about-us.php aboutus.php [L]
Should do the trick.
I have the following directory structure of Codeigniter Folder. You can see that I have put all my assets in the assets folder at the root of the application.
Base URL is defined as
$config['base_url'] = 'http://kamran.dev/Codeigniter/application/';
I tried modify it to
$config['base_url'] = 'http://kamran.dev/Codeigniter/';
but that didn't work either.
Can anyone please have a look and tell me what I'm doing wrong here?
P.S. Then I removed the .htaccess file from the application folder that contains
Deny From All
And this worked for me. But that doesn't seem like a good idea.
You have multiple options here. The easiest one is to move the assets folder to the same level as the application so that your directory structure is:
application
system
assets
css
img
js
Because the assets folder is not in a folder with the .htaccess with Deny From All it won't be blocked by your web server.
Alternatively you can add an .htaccess file in the assets folder with the following rule:
# /assets/.htaccess
Allow from all
I haven't tested this but I think it should work.
Another option is to change the .htaccess and put an exception on the assets folder but it's a very bad idea (with security implications) to remove the Deny From All without writing alternate rules to lock all folders that shouldn't be accessible.
Also, set your base_url to the folder containing application, system and assets directories (this folder contains Codeigniter's bootstrap/front controller index.php).
Additionally, I would advise you to echo your urls using the base_url() function:
base_url("assets/css/bootstrap.min.css");
OR to call a controller/route
base_url("controller/method");
The base_url function takes into account the value of $config['index_page'] as well as the necessary leading/trailing slashes.
Change your base_url to the following:
echo base_url("assets/css/file-name-here.css");
You want to pass the URL string to the base_url function. This way, you can change $config['base_url'] to whatever you want and it will append the string to that URL properly.
As an addition to the answer of grim. If you have your rewrite engine on you should have the following in your root .htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|assets|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [PT,L]
</IfModule>
I have codeigniter project lets say example.com. In my public_html folder on my server, i created a folder called test and i want to be able to access some file via the web using example.com/test/somefile.php
Since i also have a codeigniter project in the same public_html directory, i always get a codeigniter page not found error when i try example.com/test/somefile.php.
How can i basically tell my server or codeigniter project that the folder "test" is not part of the codeigniter app?
In your .htaccess at the root of public_html, you probably have something like this for routing everything through index.php:
Example taken from the CI user guide: http://codeigniter.com/user_guide/general/urls.html
RewriteEngine on
# If the path doesn't start with one of these...
RewriteCond $1 !^(index\.php|images|robots\.txt)
# ...send the request to index.php/REQUEST
RewriteRule ^(.*)$ /index.php/$1 [L]
Just add "test" to the pipe delimited group, or whatever you need to do to allow access to the directory with your configuration:
RewriteCond $1 !^(index\.php|test|images|robots\.txt)
# ^^^^
Without this CI requires index.php in the URL - there's no way to actually have your Codeigniter app itself redirect, rewrite URLs, or block access to the /test directory, it's generally all done through an .htaccess file.