This might seem like a duplicate question but I have tried the solution given in the similar questions.
I want to limit access to files in a few folders on my apache server so that they can only be served through a php script to only the users logged in to the part of my system that should have access to any particular folder.
Other solutions suggest using the .htaccess
deny from all
allow from 127.0.0.1
But that seems to deny the files from everywhere.Including the local php scripts.
Im considering .htpasswd but that is an extra level of user credentials that needs to be handeled and I'd prefere to avoid that.
How should I get around this? Is there any better way of storing the files?
htaccess cannot deny access to files via php using include/require functions. If your php include is not accessing the file then the problem is the path to the file.
Somehow php was restricted by the
deny from all
allow from 127.0.0.1
to include and require files in the affected folders. This goes against what I can read from the apache documentation how this should work and I have no real answer why. The problem persisted both on my localhost using Xampp and on the webhotel one.com.
My original question was badly formed since I used require to test if I had read access to the folder when I actually wanted to use readfile.
My main concern was that I wanted to serve files for download from an inaccessible directory.
And the
readfile($filename);
could still access the files.
The soultion to this problem was that I realized that readfile() and include() somhow gets different permissions. I could not find this in any documentation.
Related
I'm having problems with my Apache2 WebServer. I run LAMP on a VPS (Debian 9, 64bit).
I have two VirtualHosts, Alpha and Beta.
Each VirtualHost has a different DocumentRoot: Alpha has /var/www/A, and Beta has /var/www/B.
The problem is that I don't want Beta can include /var/www/A/index.php on his files, and the same is for Alpha: I don't want he can include /var/www/B/index.php (and all other documents) in his files.
How can I do this? I already tryed lots of method using .htaccess but nothing worked, for example:
Order Allow, Deny
Deny from All
Allow from mydomain.com
Thank you! Hope in an answer...is so important :)
if you speak about PHP's include it is not possible to achieve this with htaccess, since you could include any file in the whole file system that can be read by the Apache user.
A solution would be to have a program that can run Apache with different user access depending on the document root, so you can only include (read) the files inside the document root defined for the virtual host, I think it is possible using an Apache module or some other Unix program (I don't remember), it is the same solution that is used by web hosting providers when they give you a folder inside the file system and you can only read the files inside this folder, they usually give you a user name (a Unix user) which have only read access to a specific folder and also Apache run with the rights with this user and so on for PHP.
I'd like to know how i can go about denying direct web access to configuration files of application whilst allowing php to access them.
I know most answers would suggest to put the includes outside the public_html directory. But I really don't think it's that efficient.
Thanks.
PHP just uses the file system to access files where web users usually go through apache and that verifies a .htaccess file. So just place that file that contains deny from all into that directory and voilla.
can php require any php file in my pc?
I set the apache www root folder to be d:\phpnow\htdocs, I thought that php can only require php files under this folder before ,such as require('laji/hello/a.php');
today I found it php can load any php file in my PC ,only need the full path.
how to prevent ? it should not safe for web server.
can php require any php file in my pc?
Any file that the user whom the PHP program runs as has permission to access. (That is to say, filesystem permissions).
how to prevent?
Limit the permissions on the file system or chroot the server so it runs in a sandboxed environment. (I've no idea if chrooting is possible on Windows)
it should not safe for web server.
It is perfectly safe unless either:
You allow untrusted users to install their own PHP programs on your PC (but see also What do you recommend for setting up a shared server with php)
You allow file paths on your filesystem to be selected via unfiltered user input
PHP can include any file on the server within its jailed limits, if any. In this case your computer is the server. It's not a security issue, since a remote server has no way of accessing your file system.
You can deny access to a directory using .htaccess file since you run php with Apache.
If you want to block direct access to the whole includes folder, you can put a .htaccess file (the file has only extension, and no filename. You may use notepad to type code and save it as ".htaccess" with quotes, called absolute naming) in that folder that contains;
deny from all
If you want to disable directory listing, here is a tutorial:
Directory listing in htaccess. Allow, Deny, Disable, Enable Directory Listing in .htaccess
and you may refer this Stack Overflow question .htaccess deny access to folder
Just Google for folder access deny using htaccess and you can find lots of stuff.
GoDaddy does not a give FTP root access to my account, meaning I can only access the public_html folder and not the includes folder.
Is there any way I can include the config files in that public folder but somehow make it so only the server can access them in a secure way? How does Wordpress do it?
You could use a .htaccess file to restrict Website Access.
Take a look of this article.
just make sure they have a .php extension.
(and actually contain PHP code of course)
Wordpress keeps the config file in the main folder. Just make sure you have a .php extension and you dont echo anything from that. (I know you wont.)
People really cant get the details inside your php file unless you echo something, or the chmod of the file is set wrong so that people may be able to actually download the file.
As xdazz said, you can also restrict access to your config files, but I think its just for MORE protection, and you are still safe without that.
Any help on this would be greatly appreciated:
I have a website running with php on IIS6 IIS7. I am protecting all the .php files by starting a session. The .php pages can only be accessed if the session is started by logging in through the login.php page
All my .php files are in the following directory (using as example):
home/dir
Is it possible to use php and .htaccess to protect all files in the following directory:
home/dir/files
The files in this directory are word files, pdf's and other files types.
Once the user has logged in through login.php I don't want them to have to retype their username and password when trying to access home/dir/files
I hope that I made sense. Thank you.
In general, a good way to do this is to have the static files outside your website directory structure but still somewhere that the web server has permissions to access them. Then, since you're using PHP anyway, when a user requests a document, they would really be requesting a PHP page that checks the user's permissions then, if the user has adequate permissions, serves the file.
.htaccess are generally associated with Apache, not IIS, but see Is there a file-based equivalent to .htaccess in IIS6?
That said, perhaps you could put your files directory out of harms way and put it somewhere outside the document root. Then you can control download of each file through a PHP script which checks the authentication details.