This is what the map of my website looks like:
root:
-index.php
-\actions\ (various php files inside and a .htaccess)
- \includes\ (various php files inside and a .htaccess)
- .htaccess
I know that if I use "deny from all" in actions and includes directories, the files in them will be secured from direct access.
Now, my actions folder has many php files that are called by index.php (forms).
I have "deny from all" in .htaccess inside \actions, but then I have the forbiden access to that files.
So, how can I protect the files from direct url access but have the exception that can be called from index.php?
The easiest way is to place a constant in the index.php and check in the other php files if this constant exists. If not, let the script die.
index.php
define('APP', true);
various.php
if(!defined('APP')) die();
If you want to block using .htaccess then most likely the best way of adding the exception is to add it to the same .htaccess file. If you want to prevent PHP script from working (but not from being "visible"), then simply look for certain condition (like session variable, constant) at the begining of your scripts. Unless these scripts are invoked "the right way", these requirement will not be ment, so it'd be safe to just die() then
Related
I'm developing an application where I have a configuration page that has some data that must be hidden from anyone who tries to access them directly, I'm currently doing a verification, but I don't know if it really is safe, I'm using this:
if ($_SERVER['REQUEST_METHOD'] == 'GET' && realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
die();
}
In other words, any user who tries to access the page remotely dies, is this safe or is there a better way to do this?
It looks like you're using an include file for PHP. There are three ways you can make it inaccessible via GET request.
Use .inc extension and make the server not serve .inc files and throw Error 404.
Put the file in a non-accessible location, out of www and use the include path, which can include file from any path.
Use .htaccess to limit the file access, i.e., see the below one:
Contents of .htaccess to limit config files.
RewriteRule ^config/.*\.(php|rb|py)$ - [F,L,NC]
I need some help.
I was reading the security recommendations of my hosting service and they say that ideally just put the
index file and files like css, js and img inside my root folder, and that all other files should be placed
off, that is, a level above.
I tried doing this in my tests, and I had some problems. The structure of the hosting folders is:
/
/htdocs
Inside /htdocs I put the index.php file and when accessing it through the url exemple.com/index.php works normally.
But putting other test files out of htdocs is what starts the problem. For example, if I have a file called contact.php
and I try to access it through the url exemple.com/contact.php I get the 404 error message.
So the question I have to ask is:
Is it possible to access url files that are outside of htdocs, or better to put all the files that will be accessed by the url inside
of htdocs and leave only configuration files outside this folder, like class, functions, database connection, etc?
And if it is possible to access the files by url, how would I rewrite these urls in htaccess?
and that all other files should be placed off
Yes, this is good practice. However, you're misunderstanding the implementation.
You can not directly access files outside the document root. But you can indirectly access them. I.e., the web server can't see them, but your programming code can.
Ideally, your site would use the front controller pattern. Here, your index.php file would serve every page of your app by intercepting every request and then routing it to the correct end point. I.e., you would never directly request /contact.php, you'd instead request /contact, which would get funneled to /index.php, which would load the required resources from outside the doc root.
So I work on a website and to make things easier I made specific files for every task (like: for the top menu I made menu.php) and then require(); them in the main files. All is good but I tried accessing in the browser /include/menu.php and it shows up. I don't want people to access them whenever they want, I just want to require them and to be available only through the main file.
The easiest way to prevent other php files from being accessed, is to define a variable in the main script:
define('IN_APPLICATION', true);
In all of your other files, simply add:
if ( !defined('IN_APPLICATION') )
die('You cannot access this file directly.');
An alternative way is to use an .htaccess file. If your server is running apache, this is all you will need. Simply put this file in your /includes directory.
Currently, for things like a header, footer or common sidebar object, I create a custom .php file and do something along these lines:
echo '
<some><html><here>
';
and then include it on the pages that I want it to appear:
include('path/to/file');
The only problem with this is that someone can point their browser to my .php file and view part of html on its own. It isn't a huge deal, but it seems unprofessional and a little careless. Is there a better way of doing this?
The simplest way is to move all those files outside the DocumentRoot / public directory and include them from there. Something like:
include '../pages/header.php';
// rest of the script
include '../pages/bottom.php';
Anyway that's the purpose of that directory - to only hold things that are meant to be accessed directly.
Of course, the first step after this would be to look into having only one index.php file which filters all the requests (permissions, filtering, rewrites, etc) and includes whatever is necessary based on the request (this is called a Front Controller and there are also a few lightweight frameworks which already implement it). Here's a starting point: https://github.com/adrian-gheorghe/basic-website/blob/master/public/index.php
Put the included php files in a separate directory, and make this directory inaccessible from the outside (using .htaccess with Apache, for example).
You must restrain the access to other files in the server configuration.
WordPress pretty much does what you are currently doing: it stores all of the theme files in /wp-content/themes/THEMENAMEHERE/, and you can access the files to there directly. It's not that big of a concern, as users can't exactly do anything harmful, but if you care, you can store your files in a separate directory (as other answers have mentioned), or configure httpd.conf or .htaccess to block access to the particular scripts.
I ask because it seems like the only thing ever called in a proper app index.php file is the require_once bootstrap file. I'm assuming this adds a layer of security but if not, this pattern seems pointless. Why not just use the index.php file as the bootstrap? Any opinions, cautions, thoughts etc. are appreciated!
(By the way, my htaccess file is routing all requests to the index.php file...)
There is no inherent security difference, no matter whether you have your bootstrapoing process in the index file or a separate one.
Having a separate file is usually due to organization concerns (e.g. to have a file that can be included from elsewhere to import your app's functions, or to put all the tasks in properly named files, or to make it especially easy to add custom extensions to the boot process).
However, configuration files containing sensitive information - sometimes, more rarely, even all PHP files at all except for the index file - will be placed outside the web root where possible. That will make a security difference in that PHP files can not be accessed from outside in case of an accidental server misconfiguration.
in a secure enviroment only the index.php lies in the document root, all other PHP files should be outside document root, so it makes sense when the index.php file is only including a Bootstrap file outside the document root.
I don't know of any vulnerability that this exposes. Dropping a blank index.html or index.php into a folder can prevent an attacker from obtaining a directory listing if apache is misconfigured.