How do I make files and directories as high security as possible that will only be accessed with php scripts and keep all file access modes fully functional?
Announcement
Collapse
No announcement yet.
Securing files and directories
Collapse
X
-
With an .htaccess file, if it is supported by your server (normally yes).
-
I want to be able to only access folders and files for my forum with the php scripts.
- htaccess password file or
- mod_rewrite
Saludo
piz
Comment
-
I usually try to put all my include scripts outside of the web server root. That way, even if someone finds out the file name and where they are on the server, they would need to hack into the server to get the scripts.
example:
server root: /home/userName/public_html
includes: /home/userName/includes/ (just make it readable to apache.)
then create a constant in PHP
PHP Code:define("INCLUDE","/home/userName/includes/");
PHP Code:include(INCLUDE."dbConn.php");
Comment
-
i guess if i add an index.html blank page to those directories that would be enough
...or do this with .htaccess... ;-)
Comment
-
I cant find that file. Ive been trying to find it for a week now and Ive contacted my server about 5 times. Its nowhere to be found nor where they claim it is.
The reason for putting in a blank index.html file is that if you type in the folder path it will take you to that...Im running apache and it can be known to list the directories...~Designer's Toolz~
Comment
-
Originally posted by DsgnrsTLZAdmin
my files that will be accessed are outside the root on the server. closest it ever gets it 1 directory away...and 2 directories away for the password..i guess if i add an index.html blank page to those directories that would be enough
Example...
if your server root is /home/userName/public_html, then you can access the files though a browser at http://mydomain.com/~userName/
On the other hand, if you place the files outside of the public_html directory (i.e. /home/userName/someplace/ you can never access the files through apache. Indexing won't matter as they are inaccessible to the world.
Now, if your placing the files in a directory which is a direct decendent of the server root (i.e. /home/userName/public_html/somedir, they are not secure and can be viewed at http://mydomain.com/~userName/somedir. Even if you have an index.html file to stop the directory listing and disable directory listings in Apache, if someone guesses your file name, or sees it in an error message, they can still view the file with a direct request.
To find the config file and to turn off directory listings, log into your server via ssh: type the following:
Code:$> find / -name httpd.conf -print 2> /dev/null
Look for the line:
Code:Options Indexes FollowSymLinks MultiViews Includes ExecCGI
Comment
-
I cant find that file. Ive been trying to find it for a week now and Ive contacted my server about 5 times. Its nowhere to be found nor where they claim it is.
To find the .htaccess file, you have to create one and turn "show hidden files" on.Last edited by piz; Feb 12, 2004, 01:56 PM.
Comment
-
... but on some shared hosts a file given 0777 or 0666 etc permissions is often readable by other users on the same server regardless of being above or below the web root , especially if the file was created by script (apache|nobody) , anyone who can read/include a file can then get the contents, so your caution is valid.Last edited by firepages; Feb 12, 2004, 02:35 PM.resistance is...
MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)
Comment
Comment