I'm building a site that uses many files,many of which should never be accessed via the browser. For example there's a mysql_conect script that every MYSQL query page users, but if the user were to navigate directly to that page via URL(example.php/mysqlconnect.php) the screen would return blank..How can I make it that the browser returns a 401 permission error when the user attempts to access these files directly?
There is no need to do that. Unless you echo the values, you're safe.
PHP wont render in the browser unless told to do so. Many (all) scripts do what you're explaining.
As #Paul says, there is no need to do that, the user will never see the content of the php file if he points the browser to example.php/mysqlconnect.php, but if you want you can drop a .htaccess file in the same directory where the mysql_connect.php script is with the following content:
<Files mysql_connect.php>
order allow,deny
deny from all
</Files>
Or if you want to restrict access to the whole directory the content of the .htaccess file needs to be:
deny from all
Or
Options All -Indexes
You can see more configuration options in .htaccess files here:
Htaccess tricks
in particular situation you can place your file wherever you want and add the following code to your file
if(basename($_SERVER['PHP_SELF']) == 'mysqlconnect.php')
header('HTTP/1.1 401 Unauthorized');
exit;
so if the file is requested directly, it will return 401 status code and exit.
Related
I have a directory called "db_interface". In this directory there are all the files .php that allow me to retrieve data from my database. If someone try to search one of this file in the searchbar of chrome or firefox, he can access to all of this content. I've tried to put in this directory an .htaccess file with
deny from all
and it worked. But if I want to use this files to provide the login or to do some ajax call, I have the same 403 error handled by the .htaccess.
In a nutshell I want be able to use this file only if is another page to call them and not if is an user using chrome or firefox searchbar.
Thanks to all
Update your .htaccess file in db_interface with following code.
It will prevent all the files from the direct access, but you can include all those prevented files in another independent file, and make d :
order deny,allow
deny from all
So, all I'm attempting to do with this .htaccess file is prevent anybody that isn't the server from being able to view the file e-mails.txt. The server needs access to it for a php script(using fopen). Everything I've read says this should work, but this is preventing any file in the directory, and subdirectories from what I can tell, from being accessible.
<Files e-mails.txt>
Order deny, allow
Deny from all
</Files>
Also, before when .htaccess was similar, it wasn't blocking the entire directory, but it was preventing the .php script to function properly, which is what caused me to delete it, which fixed the .php script but let e-mails.txt be visible to everyone. So then, when I re-created it and used the above code, the entire site/directory is spitting out a 500 error.
May be, you can write a rewrite condition for this file to 404 or 500 error page. This method render impossible access over http.
I want to be able to prevent people from accessing a file on a server, such as a document if they were to directly link to it via the URL. This is for security purposes so that documents on the site just can't be stumbled upon and downloaded...
What is the best approach for this?
I've tried using the .htaccess to deny access to docs and txts for examples, but you can still download the files it just prevents you from accessing the directory...which isn't what I want to do.
<Files ~ "\.(doc|txt)$">
order allow,deny
deny from all
</Files>
put it in a directory outside the public space and provide it via a custom PHP page which requires login or what you prefer
echo file_get_contents(/var/www/example.com/file.txt);
should works I guess
Try putting this in your .htaccess
<FilesMatch "\.(doc|txt)">
Order deny,allow
Deny from all
</FilesMatch>
The best thing to do is to not put it in the web server's document root in the first place.
You can in your .htaccess redirect all requests to files in that folder to a special PHP page that only allows logged in users to download the file but denies those unauthorized to access it.
Also it's a good idea putting the target file itself in a folder above public_html.
I have files to be included (include()) in certain scripts. If someone were to enter the path to the file through the browser as the URL, however, I want the server to serve a 404 error. How would I do this?
# map 403 to 404 error page, prob. not a good idea...
ErrorDocument 403 /error/404.html
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files index.php> # <- allow direct access to index.php only
Order Allow,Deny
Allow from all
</Files>
Perhaps a better way is to define a constant in your index.php file and check if that constant is defined in the other scripts. If not, return 404 status and display a 404 template.
Place the files somewhere outside the document root. Access from the web won't find it but scripts will still be able to use the absolute file path within the local system.
/-- home -- docroot -- index.php
|
+- scripts -- myscript.php
http://www.example.com gets index.php from /home/docroot
index.php includes /home/scripts/myscript.php
There are a number of ways to do this. My first recommendation would be to move all the files that you don't intend to actually be served via web server out of the web server root.
If you can't or won't do that, you can certainly use Apache .conf file or .htaccess to restrict access to certain directories or files that you don't want to be accessed.
If you don't have access to the server config, you can add some simple code at the top of each include file to return a 404 header if the file was not accessed in a proper manner (usually done by setting some flag on page that would include the file and testing that flag within the include file).
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.