You should recognize the first tag as an opening php tag (if you don't you should probably learn php). What follows is a small check that makes sure that this file is being included by Kohana. It stops people from accessing files directly from the url.
http://kohanaframework.org/3.2/guide/kohana/tutorials/hello-world
Let's assume that your webservers DocumentRoot is /srv/www and you put your example code under /srv/www/application/classes/controller/hello.php.
"stop accessing files directly from URL" means that if a user now navigates to www.example.com/application/classes/controller/hello.php it will not run the script, instead it will display 'No Direct Script Access', since SYSPATH is not defined.
http://kohanaframework.org/3.2/guide/kohana/flow
Related
I'm trying to get the back end of an app that was built by someone else, and then taked down, up and running again. I have uploaded the unmodified back end sourcecode to a dev server (not the original server it was on).
In the app, the URL to access a certain API is as such:
[hostname]/controllers/api/user/profile
and when looking at the back end php code, under the api folder there is a user.php file, and in that php file there is a function called "profile", and there is one for every api end point.
now the only way I know of to do this is to have an .htaccess file that redirects a request to /controllers/user/profile to /controllers/user.php?action=profile, and have a big switch statement in user.php that calls the function corresponding to "action" parameter.
But the weird thing is that there is no .htaccess file in the the api folder. The only .htaccess file is in the absolute root of the folder containing all the server code, and that just says deny from all
is there any other way to set up a server to cause requests to .../folder/functionName to actually call a function within a php file, other than using .htaccess?
It can be done through a PHP redirect. It is described here in details: How to make a redirect in PHP?
I'm working on an installer for a project of mine and the installer will create a configuration file.
I have it working 99.99% fine, but in that file i want a check to ensure a hacking can't access it directly, and that code uses the $_SERVER super global, which in every run, gets parsed by php so it breaks the logic I'm trying to go for.
does anyone know I can get the superglobal to stay intact as it is without it parsing or should i rethink my logic and add it elsewhere?
for those who may want to see the code, here it is:
#Disable direct access.
if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('accessed')){
die('<string>No Direct access is allowed for this file.</string>');
}
Assuming you are using Apache (or any .htaccess compatible server), you just have to create a .htaccess file in the folder holding your configuration file, containing the following:
<Files config.php>
deny from all
</Files>
It will prevent any access to this file through an HTTP request.
See using .htaccess files for details.
Don't use in-script or .htaccess protections - just write the file somewhere outside of the document root. If you don't want something to become available, don't make it available.
Putting it in the document root is like your bank hanging sacks of money in the front window with "do not steal" written on them.
I have a script named INDEX.php that runs from root directory //htdocs because that script needs to use $SESSION variables and other things in sub folder.
Now If I try to debug using eclipse, it asks me new work space, even if i put new work space under htdocs. still the settings inside script are lost.
How to resolve this? How to set dev env in eclipse so that it treats as if code is run from htdocs?
This is a poorly asked question. What do you mean "script needs to use $SESSION variables and other things in sub folder"? If you're referring to $_SESSION, it has nothing to do with folders.
If you're saying that values within $_SESSION are not staying there from one execution to the next, then you need to make sure that cookies are enabled, and that whatever browser/environment you are using to view the page supports cookies.
The cookie holds the ID that identifies the session that allows PHP to find the session data. You can also pass the ID from one URL to another, but that probably won't work in your case.
So I have a fairly noobish question, I have been reading up a lot around the subject, but can't quite find the answer I want, so bear with me...
I have a fairly simple website that I have been designing, consisting of the following:
1) HTML and PHP files that I want the user to be able to access directly by typing in the url in the browser.
2) HTML files that are only to be viewed inside an iframe in 1) (don't ask me why I used iframes)
3)PHP files that are called on by 1), e.g. when form data is submitted. I want 2) and 3) to be accessible to 1), but not directly accessible to the user by typing in the url.
4) images and includes, etc.
5) maybe this is a different issue altogether, but I also have a MySQL database.
I understand that I can control access to files by putting them in private/public folders in the website directory? My question is how should my directory structure be and where should I put 1), 2), 3), etc.?
Thanks a lot for your help.
Your directory structure does not matter. Any URL that is accessible to some users is accessible to all users. You only have control over the content of that URL.
If you really need to limit access to the content loaded by 1) you have to use PHP to serve the content. That PHP script can check some parameters or login credentials or something that makes sure the URL has been loaded by 1).
However, it's hard to give you a clear answer since you don't describe the concrete problem you're having. For example, it makes much difference how secure the method needs to be. For example, it's rather simple to check if a URL is loaded inside a frame using JavaScript but that check is not hard to circumvent.
Your httpdocs directory is your Apache DocumentRoot (found in /etc/httpd/conf/httpd.conf) or your vhost DocumentRoot (if you've got vhosts defined), so assuming Linux:
1,2,4 should go into /var/www/vhosts/sitename.com/httpdocs/ - these are directly accessible through the browser.
3 should go into /var/www/vhosts/sitename.com/library/. When the user submits data it should hit a handler page (the user must be able to "see" this page) and that page includes the necessary files from this library directory. As long as your server is configured to run PHP for all *.php scripts this is probably unnecessary, as there is little advantage to be gained from hiding PHP scripts. If you don't want them invoked directly and you'd like to leave them in a publicly accessible area, try:
public script:
define('INVOKED_BY_SCRIPT', true);
...
include "../library/hiddenScript.php";
"hidden" script:
if (!defined('INVOKED_BY_SCRIPT') || true !== INVOKED_BY_SCRIPT) {
echo "Cannot invoke directly";
exit;
}
Your MySQL database should be in /var/lib/mysql, or wherever it's been installed by default. Be sure to run the MySQL security script mysql_secure_installation to remove default passwords and test databases.
Everything except the includes should be in your public_html directory.
For 3, it is not possible to have a PHP script that can be referenced by a form, but it not accessible by the user typing in the address into the address bar. The best you could do is to check the post variables to see whether anything has been posted. You could check the HTTP_REFERER variable, but I would not recommend this since it cannot be relied on.
You can't make HTML only to be viewed inside an iframe
There are NO files called by 1). It's users browser that calls your files.
So, just leave your directory structure as is, it's okay.
What you're probably looking for is a way to "hide" your executable files outside of the document root, which you can do with a directory structure something like this:
public_html <-- (document root)
index.php <-- (publicly accessed index file)
images
htmlstuff
private_index.php <-- (application's "real" index file)
application
tmp
Then, for public_html/index.php, you'd just have:
<?php
require_once('../private_index.php');
I am separating some XHTML from PHP by putting the XHTML into a separate file and then using PHP's include() function within the PHP script.
This works perfectly fine, however, users are still able to access the .html file directly if they know the address. They can't really do much with it, but I would rather it not show.
I've seen some scripts in the past use some form of referrer check, is this what I would do to add some basic (Notice I said 'basic') restrictions to prevent it from being viewed by accessing it directly?
Thanks!
Clarification: I forgot to mention that I want to do this within PHP, so no web-server configuration (Moving files out of document-root, configuring web-server to disallow access, etc.). I think the most logical choice here is to use the define() constant check, that's actually indeed what I've seen in other scripts that I had forgotten, as I outlined in my post. I realize this is probably not the best solution, but given that the html file that can be access is of no particular value, the define() constant should suffice.
If you currently place all your files (like index.php) in /something/public_html/ you will want to move the files to /something/. That way users cannot access the files.
The /public_html/ is called your document root. That folder is mapped to example.com, and and basically the website starts there. If you move the files to above where the website starts, no one can access those files via a browser.
As Ignacio said, this will not work with include if safe mode is turned on.
Other methods are to place something at the top of the file thats says
if(!defined("RUNNING_SCRIPT"))
die("No Direct Access Allowed");
and then in your PHP files put
define("RUNNING_SCRIPT", true);
If RUNNING_SCRIPT is not defined, that means they are directly accessing it, and it stops the page from loading. This only works though if PHP runs on the .html files.
You could also use a .htaccess file to disallowed access to that folders.
Just move it outside of the document root. This will not work if PHP is in Safe Mode though.
Change your webserver configuration to disallow access to that file?
No, do something like this:
index.php:
<?php
define('ALLOW_INCLUDE', true);
include('other.php');
?>
other.php:
<?php
if (defined('ALLOW_INCLUDE') === false) die('no direct access!');
// your code
?>
It's a good idea to place this as the first line.
You can also use .htaccess or drop a index.html page too as fallbacks.
<?php defined('SOME_CONSTANT_GLOBAL_TO_YOUR_APP') or die('Access denied.'); ?>
may be apache access control?
http://httpd.apache.org/docs/2.2/howto/access.html