I know it a silly question but last night when I was working with my website's .properties file, I discovered this idea. I am using PHP script for my website where I have stored all my site properties values like image path, secure path.. etc in website.properties file. But I need to include this .properties file in each and every webpages to access the values in it.
My question is, like .htaccess file, can I add this .propeties file into server configuration? Is there any option available to sync this file with server configuration? Is Apache allowing us to do? In this case I don't need to add this file in every pages.
Look to the side of enviromental variables in Apache and PHP:
http://php.net/manual/en/function.apache-getenv.php
http://www.php.net/manual/en/function.apache-setenv.php
http://httpd.apache.org/docs/2.2/env.html
Related
I've got a legacy PHP project to fix a thing or two. I've downloaded it via FileZilla and served it on my local machine with a local copy of the database. The project is exactly the same with the live one, yet the live one can open the url/contact.html but on my machine it says no such file is found. All other pages go for url/categories/ or url/products/ so I've tried altering the url but no use.
All the other pages within the site are simple: one .php controller one .php model and one .tpl smarty template view. Requiring no .html at all. But this one is somehow different. The .htaccess file is exactly the same as the live version. I've tried adding a rewrite rule to direct every .html to .php but didn't work. I'm lost and out of options, please help? It doesn't even have to be an answer,"Try looking into that" would work too.
I'm working via XAMPP on windows, and I've configured the https:// to http:// on my project but that's all. Even hidden files are checked and confirmed.
have checked that contact.html is a static file (like a real existing html file?)
is there some kind of "routing" within the PHP of the project? If there is route urls might be really anyware.. in the mysql database, redis, a json file and whatnot.. have seen them all.
try to debug where and how it works on the "production" server by using some logging to a file edit the file through filezilla and log to a 'mylog.log' file until you find out what is going on.. or if the site is not used all the time by clients - you can just try to echo stuff to figure out how this exact /contact.html works
So, I was trying to upload PHP files into Apache server, and whenever I browse the file I get 403 error due to htaccess limitations. It turns out that the server only accepts certain files such as "gif|jpg|png|mp4" and other image files.
Is there any way to bypass this?
NOTE **: I tried the old ways,**PHP, Phtml .. it didn't work.
Is there any way to bypass this?
Not unless you edit the .htaccess file or find a vulnerability in Apache.
Note that simply uploading a PHP file doesn't mean the server can execute it. The server needs to have the right software installed and Apache needs to be configured to handle PHP files. You can't just drop a PHP file in there and expect it to work, regardless of what the .htaccess file says.
I know this is a security threat and is bad from a security aspect alltogether, but for a specific reason, i need this to work. I have a program running on Ubuntu 16.04. Let's say for this example, that it's a DNS server or whatever.
What i'm trying to do, is edit the DNS server configuration file, located in /etc/xxx from a web page, which is using PHP fopen, fwrite and fclose. Because you can't access a file directly located in /etc/xxx/somecfg.cfg anyways, since it doesn't have www-data permissions, i've tried linking it to /var/www/html, both soft and hard linking it. When i create a hard link, it changes the original cfg file too if i edit it by hand, but as soon as i edit it via PHP, only the hard-link file changes, but not the original file.
I've been trying to fix this during the weekend but i can't seem to be able to do it.
Does anyone have an idea on how i would go about fixing this? I'm open to other ideas too. The main goal is to edit a package configuration file from within a web page.
TL;DR: I'm trying to edit a config file in /etc/xxx from /var/www/html/someaction.php and doing it directly doesn't work (obviously), but hard links and soft links are acting weird - the links' content changes, but the original cfg file doesn't.
Thanks!
The issue was that i accidentally put unlink at the beginning of the code and the hard link was deleted, so i basically made a new file each time i wrote to it.
It's fixed now.
Greetings ! I have a project that has php index.php file in /htdocs. Also include files like dboperaitons.php, config.php and css file also in /htdocs/themes. Now I set up New site in dreamweaver opened the index.php file, it is running fine , but when I click on properties and ry to add or modify css property from dreamweaver, it gives me error saying unable to open file http://localhost/themes/en.css file because it is not found in the hard disk.
1. Why is it searching for file as http://localhost instead of c:/xampp/themes.
2. It says en.css file is remote file and cannot be edited.
How can I resolve this. Please guide.
you can fix this problem by browsing the file manually from its location.
When you define a site in Dreamweaver you need to make sure you set up both the local and remote locations in order for it to know where files are. It sounds like you have not defined the local site folders properly and DW is confused about where things go.
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine.
My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.
Is this a legitimate concern?
If so how do people go about preventing this?
Not if your server is configured right. I think discussion on how that is done belongs on serverfault.
To add on to the other answers:
If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?
The most important advice is missing:
Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.
For example
root
- webroot
- includes
- config
Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).
Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.
This depends on the file extension you have given the include file.
If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.
If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.
A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.
Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.
Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:
Order allow,deny
Deny from all
This apparently protects the directory so that only local non web-access is possible.
This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.
Does anyone else use this method?
Just for good measure I've put the directory permissions to execute only.
And the include extension is PHP as suggested by others.