I am writing an web application, and within it, for security reasons, I would like my users (admin) change system directories right from the admin panel.
For example, he can change the url www.domain.tld/administrator to something like
www.domain.tld/dir1/dir2/dir3/administrator OR
www.domain.tld/dirx1/diry2/dirz3/administratorxyz/pqr
I know that these can be done by .htaccess easily and it can be done by rewriting the .htaccess file by php file handling codes. But I do not want to change the content of the .htaccess file physically, rather, I am looking for something where the user's choice will be stored in database and it will be fetched by a php code and will be used as the .htaccess code in real time.
Is it possible?
Related
My page in wordpress have a button like "Go to the next".
I am trying to get my php file run by clicking the button.
<form action="https://"domain name".com/hoge.php" method="POST"></form>
The php file is successfully run if I locate the php file in the domain.
(like, https://"domain name".com/hoge.php)
However, the php file can not be run if I locate the file in the themes folder, and the response is 404 not found.
(like, https://"domain name".com/public_html/wp-content/themes/hoge.php)
So I have 2 questions.
Why the php file can not be accessed if I locate the file in the themes folder?
Talking about security, is it safe to locate my php file in the domain directly?
(like, https://"domain name".com/hoge.php)
wp-content implies this is a WordPress Site.
Wordpress changes the .htaccess to prevent exactly this. The htaccess will not let you access the sub php files directly.
Answer for question 1:
There has a lot factor affecting to located your file. It might involved to the RewriteRule for .htaccess configuration, your platform configuration or just you create file at wrong location or wrong name
Answer for question 2:
Yes, it is unsafe, because it can be access by anyone else. So you need to perform some authenticate checking before execute the written code, for example use SESSION to check the user is already logged in before execute your code.
Your way of handling FORM is perfectly ok, while developing in core PHP. But, WordPress has its own handling FORM. YOu can check out this blog on how to handle the FORM in WordPress way.
I am working on a already existing intranet. I have build an application and would like to take care of the 404 errors.
The problem I have is that this error management should only have effects on the pages located below the folder I'm working on.
Explications:
My file explorer looks like this:
root
aFolder
anotherFolder
RootOfMyApplication
myPages
I want to redirect all 404 errors below RootOfMyApplication to a specific page using PHP.
For example, browsing to "..../anotherFolder/RootOfMyApplication/notExist.php " should redirect me to my custom page, but browsing to "..../anotherFolder/notExist.php " should'nt.
If possible, I would like to make it so that directory browsing follow the same rule: if the url links to a folder and is below RootOfMyApplication, I redirect to the page.
The problem comes from the fact that I don't manage the root directory, and if possible want to have no impact on navigation outside my folder.
EDIT
What I want to do is the same as a .htaccess file: when an error is thrown, I want to take care of it myself, with PHP. My question is : "Can I do it, and if yes, how do I do it?". I don't want to use configuration files.
"It's not possible" will be accepted as an answer if there is a good explanation.
The Error Handling of files which are not found is a job of the Webserver (in your case Apache).
PHP can't help you because you always have to request one file which is then executed by PHP.
If you are going to request a file which doesn't exist, it can't be executed and the Webserver has do deal with the error. (PHP won't be started.)
But maybe there is a workaround:
If you use URL-Rewriting on your server/ application, there could be a way, but we would need some more Information/ code.
Can't you create an .htaccess in your root directory and change the error documents for your folder?
Talk to the admin and tell him he should change the error documents for your folder in httpd.conf.
(2./ 3. Maybe not an allowed solution for you, because you don't want do use configurations files.)
I have been reading about where to securely save a PHP file that has my mysql database connection password. I understand from the forums that it should be saved in a folder above the webroot. I have a cloud server from a hosting company.I have access to root
The path to the public files is as follows:-
/var/www/vhosts/mydomain.co.uk/httpdocs/afile.php
Say I have a PHP file (containing my password) called sqlpassfile.php
Would the following be okay as a place to securely store it? ie in a new folder called Newfolder after vhosts??
/var/www/vhosts/NEWFOLDER/sqlpassfile.php
Sorry for a simple question but just want to make sure its secure
Thanks
All the nowadays PHP framework you will find do, indeed store their whole code base in a level under the web root.
They do not only store informations like credentials actually, they do store all the business logic of the application outside of the web root. They will then only allow a facade file to be accessed (most of the time a index.php or app.php) that will, then, with the help of controllers, handle every request and route you to the right page/content, and, of course, all the static content the site will use (your design images, your css, your js, ...).
For example :
Zend Framework does use a public folder where you will find an index.php and all the static files
Symfony does use a web folder where you will find two files app.php and app_dev.php and again all of the static files
So in your case you could do
/var/www/vhosts/example.com/httpdocs/ is the web root of your server
/var/www/vhosts/example.com/app/ store all the php code you need
/var/www/vhosts/example.com/app/config store all your configuration file, and then maybe your credentials files which you can call sql_config.php
/var/www/vhosts/example.com/httpdocs/afile.php will require_once '../app/config/sql_config.php
Usually, People just save the database connection information in a regular PHP file, for example, Wordpress saves the connection info in it's wp-config.php. Simply because nobody is able to see your password by visiting that php page, nothing is returned.
To make it more secure, you can disable access to php file while mod_php stopped working. Try this in you .htaccess
<IfModule !mod_php5.c>
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
</IfModule>
Please also have a look at this post:
Password in file .php
Whether your method is safe depends on the configuration of the server, something that providers are not often very good at documenting.
Your first line of defence is keeping what is essentially confutation data inside a file named with a .php extension. So if it is accessible from a browser the webserver will execute the file rather than returning the data. You certainly want at least 2 levels of security on your data (each of which you have tested independently).
Considering the path you have chosen, /var/www/vhosts/NEWFOLDER/sqlpassfile.php what happens if you request http://NEWFOLDER/sqlpassfile.php from the server? (In most cases, nothing but once in while....) Generally its better practice to keep it well clear of the directories your webserver uses.
I wrote a custom module, which logs errors to an external text file. The files are kept in
/sites/all/modules/custom/my_module/logging/
The problem is, if the user know the name of the file, they can go directly to it. For example, if they go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/
The will get a forbidden error. But, if they know the name of the document and go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/myFile.txt
the full file is rendered to the browser. Is there a way to prevent this? Ideally, I would like to show the files to certain users but at the very least prevent it all together.
thanks jason
very simple method...
Put a .htaccess file in the logging folder and inside that put
deny from all
It looks like you have somewhere options -indexes, this will prevent a client viewing a folder that does not have an index file
I'm working on an installer for a project of mine and the installer will create a configuration file.
I have it working 99.99% fine, but in that file i want a check to ensure a hacking can't access it directly, and that code uses the $_SERVER super global, which in every run, gets parsed by php so it breaks the logic I'm trying to go for.
does anyone know I can get the superglobal to stay intact as it is without it parsing or should i rethink my logic and add it elsewhere?
for those who may want to see the code, here it is:
#Disable direct access.
if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('accessed')){
die('<string>No Direct access is allowed for this file.</string>');
}
Assuming you are using Apache (or any .htaccess compatible server), you just have to create a .htaccess file in the folder holding your configuration file, containing the following:
<Files config.php>
deny from all
</Files>
It will prevent any access to this file through an HTTP request.
See using .htaccess files for details.
Don't use in-script or .htaccess protections - just write the file somewhere outside of the document root. If you don't want something to become available, don't make it available.
Putting it in the document root is like your bank hanging sacks of money in the front window with "do not steal" written on them.