15
I have a PHP application and I don’t want the user to be able to type the name of a specific file in the address bar, for example { example.com/send.php }, all my files are called by index.php, as I could avoid direct access to all of them except the index?
Detail: I use the Apache server running on Debian 8.
10
I use in the htaccess from my wordpress blog the following rule
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
The first part denies access to all files .php and the second frees access only to index.php
So in my case wordpress if the person tries to access a file like the wp-config.php which is at the root gets a page warning not found instead of the page.
Can be used on sites other than wordpress as well
6
You could do this by creating a folder where all your acquisitions are protected and inside that folder you would create a file .htaccess putting this instruction below inside it, which causes access to the folder to be prohibited by http request and thus returning a 403 error to the user who tries to access any file inside the folder:
Deny from all
And at the root of your application where the index.php file is, you could put another one. htaccess with the following commands below, in case you want to work with URL friendly:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
Where inside the index.php file you would have to handle the $1 request argument.
The folder structure could look like this:
Interesting idea to put a . htaccess in each folder q you wanted to deny direct access via http! It’s the best idea I’ve ever seen!!!
5
Having developed my project in a procedural way, without using any framework (just a miniframework for session authentication that only works for archives at the root :/) or standard structure (Pattern design), I ended up going through this dilemma recently, and the best solution I found was to put everything that will not be accessed by http (basically files included by include or require) in a folder, and .htaccess hers:
deny from all
And in another folder I put what has to be accessed by http (*JS, *CSS, and some html's) and at the root I put the main files, where they are restricted through session. And I think without a design pattern defined and a framework, there is not much more to be done.
I know this does not answer the question, just wanted to pass my recent experience before translating (freely with the help of Google) that excellent response from Soen:
Are you sure you want to do this? Even with css, js and imaging...?
Okay, first check if
mod_accessis installed with Apache, and on then add the following to your.htaccess:Order Deny,Allow Deny from all Allow from 127.0.0.1 <Files /index.php> Order Allow,Deny Allow from all </Files>The first directive prohibits access to any archives, except from localhost, and because of
Order Deny, Allow Allow, to second directive only releases access fromindex.php.Warning: There is no space after the comma in the order line.
[EDIT:]
To allow access to . css or * . js files use this directive:
<FilesMatch ".*\.(css|js)$"> Order Allow,Deny Allow from all </FilesMatch>You cannot use guidelines for
<Location>or<Directory>inside files.htaccess.One option would be to use
<FilesMatch ".*\.php$">around the first groupallow,deny group, and then explicitly allow access toindex.php.
5
A safe technique is by directory indentation.
We can also solve with other techniques such as the definition of a constant or the rules of permission to access a public folder.
This resource depends on the page server used.
I consider the directory indentation more secure because it protects both client and server side.
To better understand, imagine a situation where the site owner has access to FTP. But you don’t want this guy to have access to the system codes. It is recommended not to leave the system so open even for the owner, especially when it is a layman, because fatally one day the subject will touch the codes, causing bugs or something more serious.
How to do directory indentation?
In the public folder you would only have the index.php file.
In this index.php file, you include a file in a private folder.
Example of structure.
/var/www/website.foo/public
/var/www/website.foo/app
/var/www/website.foo/logs
In the above example, the root directory is /var/www/website.foo/public
The index.php file would be inside this directory /var/www/website.foo/public/index.php
All other system . php files, put out public folder.
/var/www/website.foo/app/foo.php
/var/www/website.foo/app/bar.php
Since this directory is not accessible to the public, it is safe. However, a third person with server access via FTP or SSH can still have access to the files.
If you want to enhance security, do not give SSH or FTP access to this directory to unauthorized persons.
For the client who wants FTP access, free it to access only from the public directory.
Still runs the risk of the client running php scripts inside the public folder.
For these cases, it is also possible to block execution of PHP scripts in the public folder. The problem is that index.php would no longer work.
One solution to this is to create a symbolic link where even index.php could stay out of the public folder.
This way we have all the files, including index.php, protected from both visitor and FTP user.
On Linux systems, the symbolic link can be made as follows:
ln -s "/var/www/website.foo/app/index.php" "/var/www/website.foo/public/index.php"
In Windows environment:
mklink /j "c:\www\website.foo\app\index.php" "c:\www\website.foo\public\index.php"
A flaw for using directory indentation or symbolic link is when the system runs in an environment where we are not allowed to run command lines and in many cases where it is not even possible to do directory indentation. This situation is common in shared hosting of outdated structure.
This I was going to comment, if it is not a VPS or a good hosting, the user is in the "swidden". Unfortunately what we see most here in Brazuca is this kind of structure on hosting sites.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
One of the techniques is to put it outside the root of the site: If your site is, for example in /web/httpdocs/index.php you can send it.php in /web/send.php. But this only works with includes. Another solution would be to block direct access with some rules in .htacess. There are several ways, it depends a lot on the page server used. (tou posting as a comment just to advance the subject) , let’s see if anyone posts anything more elaborate or indicates possible existing answers. PS: Very cool you continue using the site, hope we can help better in this case here.
– Bacco
Ah, a hint: if you want to add more details to the question, such as the type of server you use, or more details of the file structure you have (or will need), use [Edit] just below the question. Details usually help in the preparation of answers.
– Bacco
Thanks for the answer, I will wait for more solutions because my project already has a considerable amount of files, it would be difficult to migrate, I think the rules of htaccess will be useful.
– Ana P. Messina