Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Prevent direct file access

Posted on 2006-10-19
6
1,153 Views
Last Modified: 2012-08-13
I know this was probably asked many times, but still it is the first time I have to deal with it. In my web app I am preparing I don't want users to be able and type in url that would directly access some .php file that would otherwise be called from other .php. Testing the app, it throws an empty page or sometimes some of page but without any data. Still, I don't like that, so what are my options and cons and pros of them?

I know I can play around with apache - file access permissions, I can even place some files outside the web directory, can check referrer, ...
I am looking for some consistent way I can apply throughout the project.

What is your fav. choice and why?

thanks!
0
Comment
Question by:hpet
6 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 43 total points
ID: 17766693
The easiest and best way to do it is to move the files outsde your webservers directory. It's easy to setup a directory tree that suits different projects and it's the most transparent way of doing things (it's easy to overlook a wrong file permission on a file and checking for referrer won't work in all cases and also involves extra work)
0
 
LVL 4

Assisted Solution

by:markdoc
markdoc earned 41 total points
ID: 17766756
hi,

i've tried putting all of my include files in a directory outside my document folder and i think this is the safest and best option especially if you have more control over your web server's directories. use this in tandem with set_include_path().

i also tried playing around with file permissions and they also worked but of course it would be a lot of work if you have many include files and could be a pain if you are using a free web hosting.

for me checking the referrer and other exotic methods are far too fancy for me to trouble myself with. you can try though merely to know how effective they are.

-doc
0
 
LVL 9

Assisted Solution

by:Rob_Jeffrey
Rob_Jeffrey earned 41 total points
ID: 17766837
Your options are pretty limitless.  It would help if you know what you want to happen when a user tries to access an include directly.

Do you want to display an empty page, or 404 - or display the default page?

If you are just asking for personal choice, then mine is simply the blank page.  I'm lazy.  The average person will never find out anyway.
I don't let my include files echo out anything - they all give return values.  I have all my includes in a single folder and file browsing is turned off for that folder.  The calling PHP files don't let the browser (web user) know what file(s) it calls.

The average hacker will now have to guess what the files are called to call them directly - or write something that will pull files randomly (a.php, b.php, etc).

I like TeRReF's idea - but you may not have that kind of access on some shared webservers.  
0
 
LVL 15

Expert Comment

by:babuno5
ID: 17767164
well the way i do is to have my class file or the file which are to be secured in the/home/http/WEB-INF/ directory and the executable php from the browser i usually keep in the /home/httpd/html/{some application name}/

I hope this helps
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question