We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Prevent direct file access

hpet
hpet asked
on
Medium Priority
1,181 Views
Last Modified: 2012-08-13
I know this was probably asked many times, but still it is the first time I have to deal with it. In my web app I am preparing I don't want users to be able and type in url that would directly access some .php file that would otherwise be called from other .php. Testing the app, it throws an empty page or sometimes some of page but without any data. Still, I don't like that, so what are my options and cons and pros of them?

I know I can play around with apache - file access permissions, I can even place some files outside the web directory, can check referrer, ...
I am looking for some consistent way I can apply throughout the project.

What is your fav. choice and why?

thanks!
Comment
Watch Question

Commented:
The easiest and best way to do it is to move the files outsde your webservers directory. It's easy to setup a directory tree that suits different projects and it's the most transparent way of doing things (it's easy to overlook a wrong file permission on a file and checking for referrer won't work in all cases and also involves extra work)

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
hi,

i've tried putting all of my include files in a directory outside my document folder and i think this is the safest and best option especially if you have more control over your web server's directories. use this in tandem with set_include_path().

i also tried playing around with file permissions and they also worked but of course it would be a lot of work if you have many include files and could be a pain if you are using a free web hosting.

for me checking the referrer and other exotic methods are far too fancy for me to trouble myself with. you can try though merely to know how effective they are.

-doc
Rob_JeffreyIT/Programming
CERTIFIED EXPERT
Commented:
Your options are pretty limitless.  It would help if you know what you want to happen when a user tries to access an include directly.

Do you want to display an empty page, or 404 - or display the default page?

If you are just asking for personal choice, then mine is simply the blank page.  I'm lazy.  The average person will never find out anyway.
I don't let my include files echo out anything - they all give return values.  I have all my includes in a single folder and file browsing is turned off for that folder.  The calling PHP files don't let the browser (web user) know what file(s) it calls.

The average hacker will now have to guess what the files are called to call them directly - or write something that will pull files randomly (a.php, b.php, etc).

I like TeRReF's idea - but you may not have that kind of access on some shared webservers.  

Commented:
well the way i do is to have my class file or the file which are to be secured in the/home/http/WEB-INF/ directory and the executable php from the browser i usually keep in the /home/httpd/html/{some application name}/

I hope this helps
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.