For example:
www.example.com/about.php
I don't want the files with the extension .php to be available to reach, display a 404 page instead.
I have the files in the root folder:
content.php
about.php
footer.php
etc...
Now i can reach these files by typing in to the adress bar. I want to restrict this.
How can i do that?
A better approach that avoids the overhead and complexity of mod_rewrite is to simply not put files you don't want reached by url in the root folder. You can just put them somewhere else and include them from there; simple and (more) secure, but for some reason this doesn't seem to be common knowledge.
An example structure might be
project/
project/root
project/lib
Your public code (e.g. index.php) would live in project/root, and that would be the website root. Your included code would live in project/lib can be easily included using require, include, etc.
No mod_rewrite. Very simple.
RewriteRule \.php$ /path/to/page/404.html
Related
I have been reading on how to protect my .php includes. The main suggested option is to place the .php files I want to protect outside the folder that serves the .php files which is /public_html in my case.
So, I decided to make a folder named /includes and I access my .php includes from the /public_html .php files like ../includes/file.php. This works nicely but I am being a bit paranoid.
Can I go ahead and add an .htaccess with the following line on /includes:
Deny from all
I know the user is not supposed to access the /includes in my case. Though, would that .htaccess file in /includes hurt me in any case?
Thank you.
A really good way is to have a front controller (FC) manage all of your resource requests, and htaccess to route everything to the FC.
Then if someone tries to access something on your site it'll be routed through FC. It will in turn call a router which should only allow loading of files this way which are in a specific directory.
So attempting to navigate to (eg) includes/someScript.php wont work because FC wont route a web request into the includes dir.
This won't affect your requiring them within PHP files as this request wont go through the FC.
Assume we have a complete web page in /web_page/ directory. Now I want to include the index.php file from /include/ directory, so that /include/index.php will show the same web page as in /web_page/index.php. There are some problems:
This can not be done through iframe.
There are a lot of included files in the /web_page/ directory and simple require_once() causes other includes to be not found.
As #pes502 suggested, it may be better to do this with .htaccess. Try adding this to a .htacess file in the root directory.
RewriteEngine On
RedirectMatch 301 /include/index.php /web_page/index.php
This will send a header that redirects from one page to the other, preventing duplicate pages.
You can use ../ as 'one folder up'. So include should be like:
include_once('../include/index.php');
Every sub directory inside the directories 'application' and 'system' in my codeingiter web application has an index.html file. Inside this HTML file there is what looks to be a standard error message. It contains this code:
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>
I assume these are created so that if anyone tried to visit a directory inside either 'application' or 'system' it wouldn't list all the files, but would instead show an error.
These seem redundant though as I have added an .htaccess in each directory to deny all access. Every PHP file in those two directories also has the first line:
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Which should mean that no one can view any of those files at all (as I am protected once by the .htaccess and once by that line of PHP).
Therefore my question is - in the interest of keeping my web application organised and clutter free, can I safely remove these index.html files? Will this cause any bad side effects to my codeigniter web application?
Thanks in advance
Yes, you can remove them.
but even if you have proper rights in place, you should have them there. as they are there on only purpose, in case, you forgot to implement proper directory browsing rights
as far as you set your .htaccess file,, which is not redirecting towards or have no relation with your index.html file, you are safe (and no use to keep) to remove your index.html. But you should be careful. index.html can help in case if you fail with your .htaccess
In general You can remove those index.html files but you need to be sure that directory index is disabled in you web server configuration.
For Apache web server you can use Options -Indexes either in global configuration or in .htaccess files like this:
<Directory /wwwdata/ >
#disable directory index
Options -Indexes
#other options ...
</Directory>
Those index.html files in CodeIgniter prevent (in any case) directory listing wich can lead to serious security flow.
While I agree that a .htaccess and the basepath condition checks are good enough, I do not really think that having two html files in two directories really clutters anything. You can never be careful enough when putting things on the web, and the CodeIgniter guys sure would have thought about it before adding it.
I really do not see any value addition removing them, but if that is what you want to do go ahead.
But I suggest keeping index.html as well. Keeping index.html wont harm your application but sure it do some sort of protection.
If you say that you have forbidden access to the directory with .htaccess then you can safely remove them and let your worries go away!
But in case the directory is used by PHP script for some reasons and puts something in those directories and then provides a link to a user, just for example, than it will not work properly and you will have to remove your .htaccess restrictions.
I would just recommend to leave just a blank index.html and when a user reaches the directory there will be just a blank page displayed.
Or you could force a user to be redirected to the main page with index.php, for example:
<?php
header("Location: ../");
?>
Apologies if this has been asked already. I tried to do an extensive search but I don't know much about htaccess so I don't know which questions have been relevant.
Right now I'm setting up a pretty expansive system with php that requires several pages and functions. To keep things simple and manageable, I have one single file "economy.php" that then requires files from the "/economy/" directory.
I read on another question that the best way to deal with the files within only being accessed from the economy.php file is to use an htaccess file in /economy with deny from all. This worked, except now the images and stylesheet within the /economy directory don't work.
The solution I can think of is to create a directory /economy/pages/ and throw the php files and htaccess file in there. But that's sloppy, and I'm assuming there's an easier way to handle it.
What's my best course of action?
I think you should look at the Files apache directive
So you should have something like that :
<Files ~ "\.(php|.htaccess|php5)$">
deny from all
</Files>
Hope this helps ...
Mimiz
The "deny from all" is blocking the user's browser from accessing the CSS and image files. Best bet is to break up the directory structure. Create top level directories for images, css, js, source, etc. Then update the paths in the code accordingly. You can then use an Apache config (or .htaccess which is slower) to deny outside access to the source dir.
I want to make it impossible for users to access a certain scripts running on my server.
The best way i can explain this is by explaining a brief description of how the root level of the website works.
ROOT contains 4 scripts:
index.php
home.php
error.php
results.php
In the index file, i have included and directed the user to these 3 files, on certain instances.
Now, this causes a bit of a problem, as the index file includes the neccessary controllers and any addittional scripts before the new script is included and the users' point of view changes to the new "webpage". I have done this as it provides a very quick experiance for the user, as in the the page load times have become very low.
Now these files have been set with the robots no index meta, and are removed from the sitemap. I want to go one step further, and make it impossible for users to access these scripts direcly, as in by typing http://www.mysite.com/results.php
This is because if they do they are greeted with an ugly, unfuctional page that has not had the layout variables, or main css stylesheet defined.
Here is a brief outline of index.php:
<?php
ob_start();
$activeHome = 'active';
require_once $_SERVER['DOCUMENT_ROOT'] . '/../../includes/config.php';
require_once($docRoot . '/includes/layout.php');
...
include 'home.php';
?>
This script includes any code that configures the 3 other scripts. as in
if (isset($_GET['register']))
{
header('Location: http://www.mysite.com/register/');
exit();
}
And here is the same for home/results/error.php
<?php
....
echo $head1 . $pageDetails . $head2 . $header . $pageContent . $footer;
exit;
?>
In these scripts all of the varibles except for pageDetails and pageContent are defined in the layout script, along with the main css file.
So as you can see by the setup of this website, i do not have very many options left, unless to restrict these pages by a php function which i presume would be fairly complex and more than likely over my head... I assume it would involve heavy use of global or session variables, which is not something i am all to keen about. An easier way, i thought, would be to do this via the htaccess file. But i am not all that knowlegable when it comes to htaccess commands, and i am not so sure if this is even possible going that route.
Would anyone with a bit more knowledge on something like this, like to offer their opinion or any input or advice?
You have two choices.
1. Move the files outside of the web root - This logically makes more sense. If the files aren't meant to be accessed by the web server they should be outside of the web root. This would be the preferred method as long as you (and the web server's user and group) have access to the directory that contains your php scripts. It is also more preferable because you don't need Apache specific (or even mod_rewrite specific) .htaccess rules so this will be portable to most other server flavors. A sample directory structure might looks like this:
/
/www
/index.php
/includes
/home.php
/error.php
/results.php
Just make sure that your webserver's user has access to www and includes and your webserver configuration allows you to work outside of your web root (most apache configurations only allow you to work within it).
2. Add htaccess rules to prevent those from being accessed - This is less preferable. If you want to be stubborn or you have a legitimate reason for keeping the files in your web root, this would be the way to do it on Apache.
RewriteEngine On
RewriteRule ^(home.php|error.php|results.php)$ - [L]
To prevent users from accessing /register/register.php:
RewriteEngine On
RewriteRule ^register/register.php$ - [L]
If a file should be accessed only from another script, and not directly via HTTP, then don't keep it under the HTTP server's root directory.