Prevent direct file access

Posted on 2006-10-19
Medium Priority
Last Modified: 2012-08-13
I know this was probably asked many times, but still it is the first time I have to deal with it. In my web app I am preparing I don't want users to be able and type in url that would directly access some .php file that would otherwise be called from other .php. Testing the app, it throws an empty page or sometimes some of page but without any data. Still, I don't like that, so what are my options and cons and pros of them?

I know I can play around with apache - file access permissions, I can even place some files outside the web directory, can check referrer, ...
I am looking for some consistent way I can apply throughout the project.

What is your fav. choice and why?

Question by:hpet
LVL 29

Accepted Solution

TeRReF earned 172 total points
ID: 17766693
The easiest and best way to do it is to move the files outsde your webservers directory. It's easy to setup a directory tree that suits different projects and it's the most transparent way of doing things (it's easy to overlook a wrong file permission on a file and checking for referrer won't work in all cases and also involves extra work)

Assisted Solution

markdoc earned 164 total points
ID: 17766756

i've tried putting all of my include files in a directory outside my document folder and i think this is the safest and best option especially if you have more control over your web server's directories. use this in tandem with set_include_path().

i also tried playing around with file permissions and they also worked but of course it would be a lot of work if you have many include files and could be a pain if you are using a free web hosting.

for me checking the referrer and other exotic methods are far too fancy for me to trouble myself with. you can try though merely to know how effective they are.


Assisted Solution

Rob_Jeffrey earned 164 total points
ID: 17766837
Your options are pretty limitless.  It would help if you know what you want to happen when a user tries to access an include directly.

Do you want to display an empty page, or 404 - or display the default page?

If you are just asking for personal choice, then mine is simply the blank page.  I'm lazy.  The average person will never find out anyway.
I don't let my include files echo out anything - they all give return values.  I have all my includes in a single folder and file browsing is turned off for that folder.  The calling PHP files don't let the browser (web user) know what file(s) it calls.

The average hacker will now have to guess what the files are called to call them directly - or write something that will pull files randomly (a.php, b.php, etc).

I like TeRReF's idea - but you may not have that kind of access on some shared webservers.  
LVL 15

Expert Comment

ID: 17767164
well the way i do is to have my class file or the file which are to be secured in the/home/http/WEB-INF/ directory and the executable php from the browser i usually keep in the /home/httpd/html/{some application name}/

I hope this helps

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question