This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to hinder PHP files to Global Access
For a project I'm working on, I require("xxxx.php"); to include certain parts of my website into my site.
For example, I have header.php and my site just uses a simple require("header.php") to display to the world.
Now, how do I make it so the page include header.php's content, but make it so the user can't access it via
http://mywebsite.com/header.php
Put the file somewhere outside the DocumentRoot of the webserver.
Setup the webserver so that:
You have a public directory, where your accessible files reside, say static media + index.php and so on
Have a resources directory, that is outside your public folder.
Setup the webserver to serve from the public directory
Include like this:
require("../private/header.php");
You could define a constant in your index file and then in your header.php you would check so this constant exists.
// check if the header.php file is accessed directly
if (!define('MY_SECRET_CONSTANT')) {
exit();
}
You can either work with htaccess to ensure that special files are not viewed. The same can be achieved through a virtualhost entry.
A best pratice is to create a /web folder which is "the root" for your application and store everything which should be accessable. Other folders go anywhere else and are included into scripts which are desgined to get accessed by the user.
Your structure could look like this:
/var/www/mySite/inc/header.php
/var/www/mySite/web/index.php (including ../inc/header.php)
/var/www/mySite/web/css/style.css
Your apache virtual host would look like this:
<VirtualHost *:80>
ServerName www.mysite.com
# Basic stuff
DocumentRoot "/var/www/mySite/web"
DirectoryIndex index.php
<Directory "/var/www/mySite/web">
AllowOverride All
Allow from All
</Directory>
</VirtualHost>
Now the inc folder cannot be accessed through your domain as your web folder is the root for everyone comming from the url. Your scripts on the other hand can of course navigate lower than that and including scripts from anywhere.
As you can see from the answers: there's a gazillion ways to do this, here's two pretty simple ones that do not require you to change your directory structure:
In index.php and other files that include header.php:
define('INCLUDED', true);
require 'header.php';
In header.php:
if(!defined('INCLUDED')){
die('Forbidden'); // or you could redirect to home ... whatever you want :)
}
Alternatively, you can forbid access via .htaccess. Thus, you don't even have to touch your code:
<Files header.php>
order allow,deny
deny from all
</Files>
If your includes are all in one directory, you can simply deny access to that directory.
Related
In order to prevent PHP local file inclusion attacks I want to disable the execution of all PHP files in one directory completely. Using the line php_flag engine off within the .htcaccess file will cause a 500 error. According to another question this is due to the way PHP is installed.
Is there any other way to prevent PHP execution if the PHP installation cannot be altered?
Update: The files don't neccessarily have the .php ending.
Add this to your .htaccess file
<FilesMatch \.php$>
SetHandler None
</FilesMatch>
You're building your site via "allow all, then deny" logic. You should build it with "deny all, then allow" logic. For example, you're telling Apache to serve all files a particular directory and then you're overriding that config to tell Apache to not serve some files in that directory. I.e., you probably have something like this:
<VirtualHost *:80>
ServerName foo.com
DocumentRoot "/path/to/files"
</VirtualHost>
With a directory layout like this:
/path/to/files
index.php
config.php
/path/to/files/lib
db.php
etc.php
other_thing.php
With this setup, anybody can request http://foo.com/config.php or http://foo.com/lib/etc.php directly, which is what you're trying to prevent. Rather than adding individual exceptions for everything you want to deny, start the other way around. I.e., if you have files that you don't want to be served, then don't put them in the document root.
<VirtualHost *:80>
ServerName foo.com
DocumentRoot "/path/to/files/public"
</VirtualHost>
Note the DocumentRoot is now set to a subdirectory within your project. Put only your public assets in this directory. All other files go outside (i.e., above) public, and thus can not be served by Apache, while still allowing PHP to include them.
/path/to/files
config.php
/path/to/files/lib
db.php
etc.php
other_thing.php
/path/to/files/public
index.php
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s desired directories.
Create a blank file named .htaccess and paste the following code inside it.
<Files *.php>
deny from all
</Files>
Add this below the <?php header, this will prevent a direct execution of php
defined('BASEPATH') OR exit('No direct script access allowed');
Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.
I used an .htaccess file in my images directory that contained
deny from all
to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.
I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.
Also, is using .htaccess files even the best way to secure a site?
To prevent someone to view your images directory, you need to disallow Directory Listing.
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.
Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.
Login script with htaccess:
Script:
http://www.htaccesstools.com/htpasswd-generator/
Password file:
http://www.htaccesstools.com/htaccess-authentication/
You can prevent from accessing any directory you want:
Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)
<Directory "c:/wamp/www/directory_A/">
Options -Indexes
</Directory>
In this case you can access www directory but can't inside directory_A.
or
<Directory "c:/wamp/www/directory_A/uploads/">
Options -Indexes
</Directory>
In this case you can access 'directory_A/' directory but can't inside 'uploads/'.
My php website have multiple php files , some of them are for user interface and some of them are helper files(the files, which communicates through database and each other to return a result). Now I need that user can't execute the helper files from their direct url's.
e.g. mydomain.com/login.php ---------- (Interface file, must be accessible to user)
mydomain.com/login_handle.php ----(Healper file, must not be accessible to user)
So I need is user can execute and browse mydomain.com/login.php but must ot be able to execute mydomain.com/login_handle.php, while login.php and handle_login.php keep communicate and can access each other. Thanks,
Edit: Sorry but I'm using shared hosting and there is no folder other than public_html.
The first things I would attempt:
Move the included files outside of the document root
Move the included files inside another folder and protect it using .htaccess. Alternatively, rename your include files to end with .inc and create a rule based on that.
Make sure the included files don't output anything; this is not really secure, but if your file only contains functions, class definitions, etc. without producing any output, it would just show an empty page.
The hackish approach for this can be accomplished by using constants:
index.php
<?php
define('MY_CONSTANT', '123');
include('helper.php');
helper.php
<?php
if (!defined('MY_CONSTANT')) { exit; }
// we were called from another file
// proceed
Edit
The number 2 approach from above can be done by:
Create a folder underneath public_html, e.g. includes/
Move all the files that should be included only into this folder
Add the following .htaccess inside:
<FilesMatch "\.php$">
Order allow, deny
Deny from all
</FilesMatch>
Try to use .htaccess.
Instead of 127.0.0.1 this ip, you need to put your server ip address.
<Files login_handle.php>
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>
On my site i use a lot of includes, the most of the includes should only be accessible for the webserver and not for the rest of the world. So if i include "../include_map/file.php" in a page on my site, it should not be possible to request with an URL by other users in the world ("website.com/include_map/file.php"). Is there a possibility to protect the map with the include files so that only the webserver can include the files?
PHP can include files from everywhere (also non public directories) on the servers harddrive.
for example, if your htdocs is located in /var/www/domain/htdocs/ you can also include files located in /var/www/domain/include_map while the webserver wont be allowed to read from there (if configured properly).
you can then test to access the file with www.yourdomain.com/../include_map/file.php.
if you can still access it like this, your webservers configuration needs some attention to prevent others from reading your logs and other things.
another way is to deny access to the directory via .htaccess or apache config. php can still include the files, while users cant access them from the internet.
in the apache config you would do something like:
<Directory /inlcude_map>
Order Deny,Allow
Deny from all
</Directory>
in a .htaccess file you could write
Order Deny,Allow
Deny from all
the .htaccess file should be located in the directory you want to secure. Consult your server provider to find out which way is best for you. As stated in the comment you have to find out if .htaccess is an option for you first.
You could do as zuloo said. If you want this to work under any condition you could use a constant for this.
The file including:
define('IS_APP', true);
require_once('some/file/to/include.php');
// your code here
The included file:
if(!defined('IS_APP')) {
die('No direct access');
}
// your code here
We all have php files like 'connect_db.php' for include purposes only.
Suppose I have all those inclusive .php files in "www/html/INC"
And I have index.php
I want index.php accessible from browser to everyone, but I want to prevent users' direct access to "www/html/INC" folder. (e.g. when type in the browser 'www.domain.com/INC/' -> 404 error etc)
How do I achieve this?
Preferrably using .htaccess file in the root directory please.
Something like
<Directory /INC>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
should work.
How do I achieve this?
Don't. As per my previous answer, it's much more secure to put connect_db.php in /www/, not in /www/html/INC/. If you are going to do so, then you'd use /www/html/.htaccess:
<Directory "/www/html/INC">
order allow,deny
deny from all
</Directory>
Google searches have brought me here so I figured I'd post what I found in the apache docs today. I'm not positive what versions of apache it is available in, but do a search for your version to verify.
Now you can just use Require local. I'd recommend putting an .htaccess in the folder that you want to restrict access to with just that line. However, if you must do it in the root directory then here's what it would be:
<Directory "www/html/INC">
Require local
</Directory>
As of Apache 2.4, Require is the way to go.
E.g. the following denies access to the /www/html/INC directory by anyone except localhost:
<Directory "/www/html/INC">
Require all granted
Require ip 127.0.0.1
</Directory>
Move connect_db.php to the more high level in directories tree, than public directory.
And all scripts, which should not be executable - too.
/home/user/project/incs/ -- here your inclusive scripts
/home/user/project/www/html -- here your index.php and other executable scripts.