Web Analytics Made Easy -
StatCounter Securing files and directories - CodingForum

Announcement

Collapse
No announcement yet.

Securing files and directories

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing files and directories

    How do I make files and directories as high security as possible that will only be accessed with php scripts and keep all file access modes fully functional?
    Last edited by DsgnrsTLZAdmin; Feb 11, 2004, 08:17 PM.
    ~Designer's Toolz~

  • #2
    With an .htaccess file, if it is supported by your server (normally yes).
    www.united-scripts.com
    www.codebattles.org

    Comment


    • #3
      Thanks but I asked how....Gonna need more than that...anyway since I'm here I'll define what I first posted in this thread.

      I want to be able to only access folders and files for my forum with the php scripts.
      ~Designer's Toolz~

      Comment


      • #4
        I want to be able to only access folders and files for my forum with the php scripts.
        Yes, I know. If you use .htaccess you have two possibilities to prevent access to files from 'outside' and so you'll let only server-side scripts access to those files.

        - htaccess password file or
        - mod_rewrite

        Saludo
        piz
        www.united-scripts.com
        www.codebattles.org

        Comment


        • #5
          I usually try to put all my include scripts outside of the web server root. That way, even if someone finds out the file name and where they are on the server, they would need to hack into the server to get the scripts.

          example:

          server root: /home/userName/public_html

          includes: /home/userName/includes/ (just make it readable to apache.)

          then create a constant in PHP

          PHP Code:
          define("INCLUDE","/home/userName/includes/"); 
          Then include files like this...
          PHP Code:
          include(INCLUDE."dbConn.php"); 
          Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
          Zend Certified Engineer

          Comment


          • #6
            my files that will be accessed are outside the root on the server. closest it ever gets it 1 directory away...and 2 directories away for the password..i guess if i add an index.html blank page to those directories that would be enough
            ~Designer's Toolz~

            Comment


            • #7
              i guess if i add an index.html blank page to those directories that would be enough
              Why? Just turn off directory listing and you'll need no blank index.

              ...or do this with .htaccess... ;-)
              www.united-scripts.com
              www.codebattles.org

              Comment


              • #8
                I cant find that file. Ive been trying to find it for a week now and Ive contacted my server about 5 times. Its nowhere to be found nor where they claim it is.


                The reason for putting in a blank index.html file is that if you type in the folder path it will take you to that...Im running apache and it can be known to list the directories...
                ~Designer's Toolz~

                Comment


                • #9
                  Originally posted by DsgnrsTLZAdmin
                  my files that will be accessed are outside the root on the server. closest it ever gets it 1 directory away...and 2 directories away for the password..i guess if i add an index.html blank page to those directories that would be enough
                  If your files are outside of the root, there's no way to access them through apache.

                  Example...

                  if your server root is /home/userName/public_html, then you can access the files though a browser at http://mydomain.com/~userName/

                  On the other hand, if you place the files outside of the public_html directory (i.e. /home/userName/someplace/ you can never access the files through apache. Indexing won't matter as they are inaccessible to the world.

                  Now, if your placing the files in a directory which is a direct decendent of the server root (i.e. /home/userName/public_html/somedir, they are not secure and can be viewed at http://mydomain.com/~userName/somedir. Even if you have an index.html file to stop the directory listing and disable directory listings in Apache, if someone guesses your file name, or sees it in an error message, they can still view the file with a direct request.


                  To find the config file and to turn off directory listings, log into your server via ssh: type the following:

                  Code:
                  $> find / -name httpd.conf -print 2> /dev/null
                  This will find the apache config file, then open it using vi (assuming you have permission to)

                  Look for the line:
                  Code:
                      Options Indexes FollowSymLinks MultiViews Includes ExecCGI
                  and delete "Indexes"
                  Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
                  Zend Certified Engineer

                  Comment


                  • #10
                    I cant find that file. Ive been trying to find it for a week now and Ive contacted my server about 5 times. Its nowhere to be found nor where they claim it is.
                    To find the configuration file, see above.
                    To find the .htaccess file, you have to create one and turn "show hidden files" on.
                    Last edited by piz; Feb 12, 2004, 12:56 PM.
                    www.united-scripts.com
                    www.codebattles.org

                    Comment


                    • #11
                      If the username and password are in a php file, then there's no way anyone can see them anyway, whether it's in a protected directory or above domain root. Unless of course you're printing those details out on that file

                      Comment


                      • #12
                        ... but on some shared hosts a file given 0777 or 0666 etc permissions is often readable by other users on the same server regardless of being above or below the web root , especially if the file was created by script (apache|nobody) , anyone who can read/include a file can then get the contents, so your caution is valid.
                        Last edited by firepages; Feb 12, 2004, 01:35 PM.
                        resistance is...

                        MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

                        Comment

                        Working...
                        X