I have a folder (folder_1) that is protected by htaccess/htpasswd files. Inside that folder is another folder (folder_2) that is protected by another couple of htaccess/htpasswd files.
When a php-script in folder_1 or folder_2 is called, the user has to authenticate herself using the correct username and password as specified in the respective htaccess/htpasswd files. This works as intended.
However, as soon as the php-script in folder_2 tries to refer to another script or a css-file that is located in folder_1, the user must enter username and password for folder_1 as well.
Is there a way to avoid this that does not involve copying scripts and css-files from folder_1 to folder_2?
Regards,
Ralf
Unfortunately not; as simply enough, any requests from a particular directory use the rules defined in its own htaccess/htpasswd files. However, I can recommend that you put support files in a tertiary folder, so that you don't have to have a copy in each folder (put css and js in a "folder 3" of sorts).
You can achieve this using access rights, see here under "Checking access rights" about half way down the page. The results is only one login required by a user.
http://www.htpasswdgenerator.com/apache/htaccess.html
I've spent a half day looking into this as it would be an ideal solution for my staging server.
Related
I have a web application and I want to save data in a file instead of in the database.
My doubt is, where I should save the file? If I save it under the public directory, I could refer them with the assets to make the correct URL, but in the public directory, any person could see the file writing the complete URL. This shouldn't be because de data is reserved.
I think about the var directory, but I couldn't use the assets to make the correct URL to get or manage the files.
Where I should save the files and how I get/manage them?
If the data-file is local and hosted on the server's file system, the most logical place to store something like that would be the var directory. Although nothing stops you from creating your own "var-like" directory and naming any way you like it. E.g. data. But I would follow the conventions and create var/data, easier for everyone.
That you can't use the asset() function is irrelevant, because a data-file is not a web asset, but an infrastructure concern.
A file like this should not have a URL at all, but you would only access it through it's file system path.
Just finished doing a simple mail transfer at my site using PhpMailer
I got 3 question about it -
I have read that's needed to store your credentials on a different file, read that there's 2 options - ini/php, which one would be better and how exactly this file should look like.
Regarding the directory of the credentials file, read it should be located outside the web root (just one level above its fine?), in that case how do I call it from inside the web root?
On the same matter, should the Mail.php itself be located on the site directory? or should I take it out as well?
It's generally safest to put values like these in .php files because they will render to nothing, unlike a .ini file which will usually render as plain text.
Yes, one level above is fine - it means that the file does not have a public URL of its own. From a script running inside the web root, you'd just load it with require '../settings.php';
You don't say what Mail.php is, but generally any other PHP scripts can stay put. Things like class definitions are safe because they have no effect when run directly (or at least should have no effect, if you've written them safely!). That said, it's common to put your composer vendor folder outside the web root since you don't necessarily have control over what ends up in there.
How can I access files via a url that are placed in /home/uzair/etc/index.php? Even when I run domain (something.com) it shows me data of (/home/uzair/public_html/index.php) this file.
Anyone please help me that how can I access that placed in (/home/uzair/etc/index.php) on my domain (something.com)
home
uzair
etc
index.php
public_html
admin
index.php
It sounds like you are in something.com which is visible to you on the web so it is located inside of public_html but you want to include a file that is higher up in the file system.
If that is what you are looking to do, use:
include("../etc/index.php");
The .. tells the server that you want to access the files in the next level up.
If you did:
include("../../uzair/etc/index.php");
That would have taken you all the way up to home and from there you would have access to many more files if you wanted to.
Files outside of public_html are protected from being seen on the web. Many people use that feature as a security to their content. If you have a file on there that you want to show contents of though, you have to use the include('file.php'); or include_once('file.php'); or even require_once('file.php') in a public ally visible file. Aka a file you have in public_html has to be the one to call the higher up file. If I am understanding your question right, that is how it is supposed to be done. Let me know if that is answering your question or not:-)
How you can run files not in public_html?
Files outside of public_html are protected from being seen on the web. Many people use that feature as a security to their content. If you have a file on there that you want to show contents of though, you have to use the include('file.php'); or include_once('file.php'); or even require_once('file.php') in a public ally visible file. Aka a file you have in public_html has to be the one to call the higher up file. If I am understanding your question right, that is how it is supposed to be done.
In a way to secure my files from outside access, I am considering placing all the included files outside the public_html folder or the httpdocs folder.
However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.
What is the best and most ideal practice for this? My thinking would be to have a .htaccess point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also includes the .php file which would have the HTML and PHP inside it for the main body content of the page.
Can anyone tell me if there is anything wrong with that, and why?
However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.
The comment uses the word direct. Includes are handling the data indirectly.
My thinking would be to have a .htaccess
Configuration is better handled in the main configuration file if possible. .htaccess marginally is less efficient (and scatters configuration across your webroot).
point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also
The front controller pattern is a perfectly reasonable approach.
includes the .php file which would have the HTML and PHP inside it for the main body content of the page.
Simply including that can start to create a bit of a mess. I suggest investigating the MVC pattern.
The comment you are referring to says that nothing that handles input or output directly should be outside the document root.
On the other hand, it's perfectly fine to place library code outside the root. If you use index.php as a single entry point to your application, pretty much the only things that should be web-accessible in addition to that script would be your assets (css, js, images, etc).
I have a php class that connects to a database which has the password to the database hard coded into it. I do NOT have have access to folders outside the webroot. Reading this forum and others it seemed that creating a htaccess file with
order allow,deny
deny from all
in the directory with my php classes would do the trick. however after doing some quick testing it seems this also blocks the public files which need access to the database to generate the site. to be clear this is the structure i want:
index.php (public file which calls on php classes that access the database)
php_classes/DatabaseConnect.php (contains the password to the database. i want to hide this from everything that is not uploaded onto mysite --- or better yet only to specific files i name)
...
thanks,
brook
Do not place your PHP code in the webroot. Frameworks will typically use this technique where they only put a bootstrap file in the webroot...you can do that same and place your PHP file with sensitve information above your web root so it cannot be browsed.
Your bootstrap file would #require_once '../safe_dir_above_webroot'.
If you're worried about others seeing the login details to your database, rest assure that it cannot be seen if inserted between PHP tags.
.htaccess is a little tricky with some servers. It seems quite a few setups hate overruling which I can understand.
Since you have suggested that you cannot access folders outside of the root directory, you may just want to do something like this.
define("include_allowed", true);
Call that in the leading file, for instance index.php. When a file is included it should check to see if include_allowed has been set true.
if (include_allowed != true) header('HTTP/1.1 404 Not Found');
This checks to see if it has been included by index.php or which ever file that has defined include_allowed true.
If it fails to return true, a 404 error is sent saying not found to trick users! :)
Since your file is PHP , it will processed by the PHP exe, before being rendered to the client. So the password should not be visible. Having said that to use htaccess to stop view a particular file you can do this
<Files php_classes/DatabaseConnect.php>
Deny From All
</Files>