Block file download via PHP script

Asked

Viewed 614 times

2

Hi, I’m having trouble downloading some files. I suspect that someone on the team is 'inputando' a php script that downloads files from the server (such as bd settings in production).

I wonder if it is possible to block the download via script. I have already blocked the direct access by url (http://meuserver/path/file.php) and permissions are for reading only to the apache user. However, when I run the code below, I can download the file and view its contents.

Following is an example of code I wish to inhibit:

$arquivo = "path/file.php";
header("Content-Type: " . $tipo); 
header("Content-Length: " . filesize($arquivo)); 
header("Content-Disposition: attachment; filename=" . basename($arquivo));

I have done several searches and only found how to block direct access, but with the above code it is possible to download the file.

Ps: I currently need to lock a single file.

php apache htaccess security-guard

  • I already answered a question about it here on the site. It was in Laravel, but the example applies to PHP. You can use authentication or even CAPTCHA to check who’s messing with you.

  • Let me get this straight: are you able to download your PHP script? Now I’m in doubt

  • I did some tests, but PHP does not come with the open script, it only comes with the texts inside it, IE, the user can not download the code itself.

  • Only html comes, it would be a huge failure if php comes

1 answer

0

If I understand your question correctly, you are afraid that someone on your team is intentionally putting security loopholes in your application that allow outside access to sensitive information. If this is the case, there is little that can be done at code level. You can try to protect the file or information in some way, but the subject may make it available in another. What you need is to improve your development, review, and deploy process and find out who’s doing it, if it’s really happening, and remove it from the team. Depending on the size of the team, start reviewing everything it produces before you put it on the air, this way you can find the problem.

By default, when you air the application the source code will only be available for download if you do not properly configure the php module on the webserver or if any failure occurs, which in some cases causes the webserver to return the source. Usually this is solved by not leaving php code in the public folder (/var/www/html, for example).

Browser other questions tagged php apache htaccess security-guard

You are not signed in. Login or sign up in order to post.