Solved

Prevent direct file access

Posted on 2006-10-19
6
1,152 Views
Last Modified: 2012-08-13
I know this was probably asked many times, but still it is the first time I have to deal with it. In my web app I am preparing I don't want users to be able and type in url that would directly access some .php file that would otherwise be called from other .php. Testing the app, it throws an empty page or sometimes some of page but without any data. Still, I don't like that, so what are my options and cons and pros of them?

I know I can play around with apache - file access permissions, I can even place some files outside the web directory, can check referrer, ...
I am looking for some consistent way I can apply throughout the project.

What is your fav. choice and why?

thanks!
0
Comment
Question by:hpet
6 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 43 total points
ID: 17766693
The easiest and best way to do it is to move the files outsde your webservers directory. It's easy to setup a directory tree that suits different projects and it's the most transparent way of doing things (it's easy to overlook a wrong file permission on a file and checking for referrer won't work in all cases and also involves extra work)
0
 
LVL 4

Assisted Solution

by:markdoc
markdoc earned 41 total points
ID: 17766756
hi,

i've tried putting all of my include files in a directory outside my document folder and i think this is the safest and best option especially if you have more control over your web server's directories. use this in tandem with set_include_path().

i also tried playing around with file permissions and they also worked but of course it would be a lot of work if you have many include files and could be a pain if you are using a free web hosting.

for me checking the referrer and other exotic methods are far too fancy for me to trouble myself with. you can try though merely to know how effective they are.

-doc
0
 
LVL 9

Assisted Solution

by:Rob_Jeffrey
Rob_Jeffrey earned 41 total points
ID: 17766837
Your options are pretty limitless.  It would help if you know what you want to happen when a user tries to access an include directly.

Do you want to display an empty page, or 404 - or display the default page?

If you are just asking for personal choice, then mine is simply the blank page.  I'm lazy.  The average person will never find out anyway.
I don't let my include files echo out anything - they all give return values.  I have all my includes in a single folder and file browsing is turned off for that folder.  The calling PHP files don't let the browser (web user) know what file(s) it calls.

The average hacker will now have to guess what the files are called to call them directly - or write something that will pull files randomly (a.php, b.php, etc).

I like TeRReF's idea - but you may not have that kind of access on some shared webservers.  
0
 
LVL 15

Expert Comment

by:babuno5
ID: 17767164
well the way i do is to have my class file or the file which are to be secured in the/home/http/WEB-INF/ directory and the executable php from the browser i usually keep in the /home/httpd/html/{some application name}/

I hope this helps
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question