I know about java based web applications directory structure. A simple web application will have something like this:
web-application folder
WEB-INF folder
under WEB-INF you can have your lib, class and all.
anything which should be publicly available will be kept outside WEB-INF and which should not be directly accessible will be kept inside WEB-INF. If any file is present inside WEB-INF, it will be accessible only to java classes or jsp. User can not access the files which is present inside the WEB-INF directly through the browser. So, here WEB-INF works like a barrier, right.
Now, my question is, i am new to php and i want something like WEB-INF here. Is there any way to do so?? or how php based web applications protect their private files from direct access??
Thanks
You can place the PHP files where ever you would like to, and you can restrict access to the files directly by placing them in a folder (named whatever you like) and using .htaccess files to prevent users from accessing that folder directly (even if they were to access a PHP file directly, it would show a blank screen and not execute anything if all of your functions / classes are in these files only... likewise, they cannot in any ways access any of your PHP code as it's all server-side and only displays content you want it to output).
I have also heard of people putting some files in a folder above the http_docs/ or www/ folder so that the file and even the entire folder cannot be accessed at all from the website.
So, I would look up .htaccess files (and learn more about PHP!). Set up some PHP files that have functions in them and visit that page in your web browser and view the source, etc...
Related
I have been told that for security reasons all PHP data handling files should be located outside of the website root directory. I have a website hosted in IIS 10 with the includes folder outside the root. Something like this:- website: C:\inetpub\wwwroot\index.php and PHP files C:\includes\submit.inc.php This is obviously not working since http:\localhost\includes\submit.inc.php doesn't exists. The submit.inc.php is a file that AJAX uses to send form data back to the server.
So, should I be worried about PHP file separation in the first place, and if so, how can I reference files outside website physical path in IIS?
Thanks.
You should have PHP files (or a file if you are using the Front Controller pattern) that are inside the root.
These provide endpoints (i.e. have URLs) that browsers and other clients can make requests to.
From there you can load the dependencies from outside the root using require_once.
The primary goal of keeping your data processing outside the root is to protect your business logic and security credentials from leaking if an HTTP server configuration error causes your PHP files to be served up raw instead of processing them with PHP.
This isn't served by keeping all your PHP outside the root.
I have noticed one issue.
I have a server running a web application. Now I can access PHP files directly from url, like that
http://superapp.com/libs/mongo.php
How can I restrict of direct execution of all PHP files except of index.php in the app root directory.
I would be grateful for any help
Generally speaking, people usually put the application code above (../) the public webroot to accomplish this. Basically your wwwroot folder has index.php which includes something from ../MyApp/Bootstrap.php and maybe calls a function to kick things off.
You can disable php execution on a per folder basis, however, that is probably not what you want as it will deliver the SRC code to the requesting user. You could use htaccess or similar to restrict requests that are not to index.php.
I have a few PHP scripts that generate word documents into a folder.
The PHP scripts are locked down with a login session, however if you know the right URL the documents are accessible.
How do I lock down the directory from being accessible from a url but still maintain read and write access for the PHP scripts? Currently the chmod for the directory is set to 777. Can this be set with the folder permissions?
You place the documents at the wrong location in your file system.
Do not place the documents inside the document root and you do not have to protect them. There is not need to place them exactly in there. There is no limit to still accessing such documents from php when they are stored elsewhere. So create yourself a folder outside the document root and that's it.
General rule of thumb:
never place objects inside the document root that are not meant to be accessed directly by web requests.
documents meant to be offered for download should not be offered directly but by a handler script instead.
General structure of my application:
[includes] - not accessible by the web
.. important database classes, etc
[public]
.. all files that the application publicly uses
I'm trying to make a decision about where I should store the [uploads] folder. This is the where all users will be storing their media (images, etc)
[uploads]
[user123]
mypic.jpg
mysecondpic.jpg
[user456]
picpic.jpg
yeah.jpg
Currently, I have this folder within the [public] folder, but for some reason I'm not convinced that that this is the right place ...
The [includes] folder will not be accessible by the public, only PHP will be able to navigate there.
What are your thoughts on this for best practice sake?
In a sibling directory. That is, a directory at the same level as includes/ and public/.
It depends on what you are trying to achieve. If you are uploading for example photos for user articles, place them in publicly visible folder such as /public/images (that images are visible either way). If you are on the other hand making an application that will (for example) profit from uploaded files, it's better to place them one level higher, such as /uploads, so that they won't be publicly accesible, but you can create a code that will enable downloads.
I suppose only that user. I mean, without brining "sharing" media into the conversation ... which is a possibility down the road.
In that case, the usual setup is
Place the files outside the web root (ie. outside the public folder - where exactly, is up to you really)
Build a PHP script that checks user permissions and passes through the requested file if everything checks out. That PHP script will then be called for every resource like so:
domain.com/resource.php?user=user123&file=mypic.jpg
(or use pretty URL rewriting)
bear in mind, however, that this requires an expensive PHP process to be started for every resource requested. Be sure to use very clever caching to minimize requests.
There are Apache and nginx modules that make this process more efficient named X-Sendfile. That may be worth a look down the road.
I've been wondering: is it possible to shield a directory/file on a server from the outside world, but make it accessible to PHP?
It's fairly simple. I'm caching webpages on my server with PHP in a certain directory, but I do not want web users to view these files or this directory directly. PHP, on the other hand, must be able to access these files (to serve them to the user). That may sound not logical, but what I'm trying to do is restrict users certain pages and still be able to cache them in a webserver-savvy format.
Preferably something with .htaccess or chmod.
Thanks!
Absolutely-- in fact, you don't need to use .htaccess. Simply put the protected directory above your document root (that is, store it next to the folder where your PHP scripts are store, typically "htdocs," "httpdocs" or sometimes just "www').
So your web files would be in /my/folders/httpdocs/, and your "protected" files would be in /my/folders/protected_folder/
The idea here is that PHP can access any folder on the server, but Apache won't let the user navigate "above" the root directory.
To access the directory, you can use:
$protected_path = $_SERVER['DOCUMENT_ROOT'].'/../protected_folder/';
(Incidentally, you mentioned you're doing this to cache pages-- you might want to look at Smarty, the PHP template engine, which pre-compiles your templates and also supports really smart caching. And in fact, one of the Smarty "best practices" is to configure your structure so the template and cache files are not in or below the document_root folder, so users coming in from Apache can never get to them, but the Smarty PHP code can easily grab whatever it needs from there.)
Sure, just place the files in a directory outside of your web root. For instance, if your web root is /usr/local/apache/htdocs/ you can create a /usr/local/apache/private_cache/ directory that PHP should have access to, but there is no way to get to it via a web request.
You can also put a .htaccess file consisting of the line deny from all in the directory you want to protect. That will prevent Apache (but not PHP) from serving up the files.