GoDaddy does not a give FTP root access to my account, meaning I can only access the public_html folder and not the includes folder.
Is there any way I can include the config files in that public folder but somehow make it so only the server can access them in a secure way? How does Wordpress do it?
You could use a .htaccess file to restrict Website Access.
Take a look of this article.
just make sure they have a .php extension.
(and actually contain PHP code of course)
Wordpress keeps the config file in the main folder. Just make sure you have a .php extension and you dont echo anything from that. (I know you wont.)
People really cant get the details inside your php file unless you echo something, or the chmod of the file is set wrong so that people may be able to actually download the file.
As xdazz said, you can also restrict access to your config files, but I think its just for MORE protection, and you are still safe without that.
Related
By default (and as far as I know this can't be changed) files are uploaded to /assets at all times and folders beneath assets. I have a secure set of files that need to be uploaded, as I can't find a way to change where they are uploaded to, I figured on after write I could try and move the file to a secure directory. I have tried using
move_uploaded_file($file->Name, '\/secret\/');
to move the file to a root folder called 'secret' but this doesn't seem to change anything. Perhaps I am doing something wrong on that behalf or it just doesn't work. If anyone has done this before or knows how, I would appreciate any help I can get. Thanks.
In SilverStripe it is not currently possible to move a CMS controlled file or folder outside of the assets folder.
An alternative is to use the Secure Assets module to add access restrictions to folders that mirror the access restrictions of SiteTree pages.
Once this module is installed you can change the permissions of your secure folder so that only certain logged in users can access the folder and the files in it.
I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.
I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.
Im using Debian, apache2. Id like to know what could I do.
To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.
Thanks in advance
Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.
This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.
For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link
All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.
As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.
i want to be able to make a folder where users upload content too, and then an admin can use a password possibly to view the folder and make choices on to approve or reject the content. best way to do this?
A secure and easy way is to do it with .htaccess and .htpassword to allow only specific people to access the directory.
Use chown to change the file/folder owner. In the php docs they say it works for files, but folders are just files and it should work. If it doesnt use shell_exec and use the OS chown (on *nix , donno about windows).
Alternatively you can use HTTP authentication, if the folder is on a public path. I would not recommend .htaccess unless you are out of options. Htaccess were created for other reasons. Use the correct tools for each problem (see Golden Hammmer).
Any help on this would be greatly appreciated:
I have a website running with php on IIS6 IIS7. I am protecting all the .php files by starting a session. The .php pages can only be accessed if the session is started by logging in through the login.php page
All my .php files are in the following directory (using as example):
home/dir
Is it possible to use php and .htaccess to protect all files in the following directory:
home/dir/files
The files in this directory are word files, pdf's and other files types.
Once the user has logged in through login.php I don't want them to have to retype their username and password when trying to access home/dir/files
I hope that I made sense. Thank you.
In general, a good way to do this is to have the static files outside your website directory structure but still somewhere that the web server has permissions to access them. Then, since you're using PHP anyway, when a user requests a document, they would really be requesting a PHP page that checks the user's permissions then, if the user has adequate permissions, serves the file.
.htaccess are generally associated with Apache, not IIS, but see Is there a file-based equivalent to .htaccess in IIS6?
That said, perhaps you could put your files directory out of harms way and put it somewhere outside the document root. Then you can control download of each file through a PHP script which checks the authentication details.
I have a script that allows only authorised users to upload files to a certain folder.
However I do not know how to prevent people from downloading freely without login.
I need the solution in php.
I have googled around but nothing straight forward as yet.
Currently in my document root I have a folder called admin and a subfolder called uploads inside the admin. So only admin role can upload. Both editor and admin can download. What should I do in this case?
Please advise.
Put the files somewhere outside the public webroot directory, or configure your server to not serve the files. As long as your server will happily serve everything with a valid URL, there's nothing you can do with PHP to prevent that.
If your files are in the /public_html/ folder, take them out of that folder and place them in e.g. /secret_files/, so your directory structure looks something like this:
public_html/
index.html
admin/
admin_index.php
secret_files/
my_secret_file.txt
The webserver is only configured to serve files in the /public_html/ directory, so nobody will have access to directories outside (technical term above) it.
To still enable somebody to download those files, do as cletus suggests and use readfile to "manually serve" the files via a PHP script. PHP will still have access to these other parts of the file system, so you can use it as a gatekeeper.
Don't store the files in a directory under the document root.
Instead move them somewhere else and then a PHP script can programmatically determine if someone can download them and then use readfile() or something similar to stream them to the user.
You could also configure the Web server to not serve files from this directory but then you need PHP to serve them anyway. It's cleaner simply not to put them under the document root.
Answering question on how to password protect with PHP:
This should solve your problem.