This is the problem:
I have this website with this structure:
php (folder)
css (folder)
js (folder)
index.php
In index.php, I use the include() php function to include the files who are inside the php folder, and I do the same in other files who are inside the php folder.
I have an .htaccess file in the php folder with this content: deny from all, so if I try to access one file in the php folder from the browser, I will get an 403 (Forbidden) error (this is fine)
The problem is that I need to make an Ajax request from a js file (in the js folder), and when I want to do this, I get the same 403 error. I tried to put in .htaccess:
<Files saveComment.php>
allow from all
</Files>
and now it works, but anyone could access the file from the browser and mess with my database (the file save "comments" in the database)
Any help? THANKS!
With your setup I would recommend routing all requests to your index.php file. So instead of saveComment.php you would have /comments/save which in turn internally execute the contents of saveComment.php
The reason for that is because once you set a deny to a directory using .htaccess then it will apply to all sub directories.
Related
I have a directory called "db_interface". In this directory there are all the files .php that allow me to retrieve data from my database. If someone try to search one of this file in the searchbar of chrome or firefox, he can access to all of this content. I've tried to put in this directory an .htaccess file with
deny from all
and it worked. But if I want to use this files to provide the login or to do some ajax call, I have the same 403 error handled by the .htaccess.
In a nutshell I want be able to use this file only if is another page to call them and not if is an user using chrome or firefox searchbar.
Thanks to all
Update your .htaccess file in db_interface with following code.
It will prevent all the files from the direct access, but you can include all those prevented files in another independent file, and make d :
order deny,allow
deny from all
I am using a common file called menubar.php which obviously shows menubar. I am using REQUIRE("menubar.php") in all the files which need menubar to be shown. The problem I am facing is I don't want the menubar to be displayed if I am accessing it through url ex. localhost/project/menubar.php.
That is how I prevented direct access from URL to your menubar.php file. Paste the following code in .htaccess file inside the directory where 'menubar.php' file is located.
<Files ~ "menubar.php">
Order allow,deny
Deny from all
</Files>
It will prevent to access menubar.php file via url, but it can access inside your server language.
I am working on a CI Application.
Now I Have a folder in my project called base_ini, in which I have some config files. I want to secure this file, so no can can view its content directly from browser.
So I tried this two ways:
Put an index.html saying that Directory access is forbidden.
I put a .htaccess file in that folder with Deny from all
If I pass this in URl : www.example.com/base_ini I do get proper error message.
But still if from browser I pass this path www.example.com/base_ini/default.ini then I can view its content.
How can I stop this access?
Put below line in your htaccess file and put that file at www.example.com/base_ini/ (path)
Options -Indexes
I have files to be included (include()) in certain scripts. If someone were to enter the path to the file through the browser as the URL, however, I want the server to serve a 404 error. How would I do this?
# map 403 to 404 error page, prob. not a good idea...
ErrorDocument 403 /error/404.html
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files index.php> # <- allow direct access to index.php only
Order Allow,Deny
Allow from all
</Files>
Perhaps a better way is to define a constant in your index.php file and check if that constant is defined in the other scripts. If not, return 404 status and display a 404 template.
Place the files somewhere outside the document root. Access from the web won't find it but scripts will still be able to use the absolute file path within the local system.
/-- home -- docroot -- index.php
|
+- scripts -- myscript.php
http://www.example.com gets index.php from /home/docroot
index.php includes /home/scripts/myscript.php
There are a number of ways to do this. My first recommendation would be to move all the files that you don't intend to actually be served via web server out of the web server root.
If you can't or won't do that, you can certainly use Apache .conf file or .htaccess to restrict access to certain directories or files that you don't want to be accessed.
If you don't have access to the server config, you can add some simple code at the top of each include file to return a 404 header if the file was not accessed in a proper manner (usually done by setting some flag on page that would include the file and testing that flag within the include file).
I can't figure out how to use .htaccess to redirect when any file is accessed within a directory, or, how to redirect when a specific file type (eg. .txt or .php) is accessed.
I've got a directory called "contents" where I'm storing .txt files, these are pulled into the main page using php. However, I don't want users to be able to access the specific text files where the contents are, eg. going directly to .../contents/textfile.txt. I'd like if a user happened on a .txt file, or any file within the contents directory, to be redirected to the root site.
If this isn't the right approach, please let me know what would be so I can search to attack it from another way.
Thanks in advance!
I would prefer to lock the directory down, so that users are informed that it's an invalid directory. Create a .htaccess file in the contents-directory with the following text:
deny from all
If you want a redirect, you should investigate "mod_rewrite" - a module that is installed on many webhosts. It will probably be something similar to
RewriteEngine on
RewriteRule ^.+ http://www.example.com/ [R,L]
use the Deny Directive
add,
Order Deny,Allow
deny from all
allow from 127.0.0.1
into a .htaccess and place it in contents directory.