Solved

Prevent direct file access

Posted on 2006-10-19
6
1,150 Views
Last Modified: 2012-08-13
I know this was probably asked many times, but still it is the first time I have to deal with it. In my web app I am preparing I don't want users to be able and type in url that would directly access some .php file that would otherwise be called from other .php. Testing the app, it throws an empty page or sometimes some of page but without any data. Still, I don't like that, so what are my options and cons and pros of them?

I know I can play around with apache - file access permissions, I can even place some files outside the web directory, can check referrer, ...
I am looking for some consistent way I can apply throughout the project.

What is your fav. choice and why?

thanks!
0
Comment
Question by:hpet
6 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 43 total points
ID: 17766693
The easiest and best way to do it is to move the files outsde your webservers directory. It's easy to setup a directory tree that suits different projects and it's the most transparent way of doing things (it's easy to overlook a wrong file permission on a file and checking for referrer won't work in all cases and also involves extra work)
0
 
LVL 4

Assisted Solution

by:markdoc
markdoc earned 41 total points
ID: 17766756
hi,

i've tried putting all of my include files in a directory outside my document folder and i think this is the safest and best option especially if you have more control over your web server's directories. use this in tandem with set_include_path().

i also tried playing around with file permissions and they also worked but of course it would be a lot of work if you have many include files and could be a pain if you are using a free web hosting.

for me checking the referrer and other exotic methods are far too fancy for me to trouble myself with. you can try though merely to know how effective they are.

-doc
0
 
LVL 9

Assisted Solution

by:Rob_Jeffrey
Rob_Jeffrey earned 41 total points
ID: 17766837
Your options are pretty limitless.  It would help if you know what you want to happen when a user tries to access an include directly.

Do you want to display an empty page, or 404 - or display the default page?

If you are just asking for personal choice, then mine is simply the blank page.  I'm lazy.  The average person will never find out anyway.
I don't let my include files echo out anything - they all give return values.  I have all my includes in a single folder and file browsing is turned off for that folder.  The calling PHP files don't let the browser (web user) know what file(s) it calls.

The average hacker will now have to guess what the files are called to call them directly - or write something that will pull files randomly (a.php, b.php, etc).

I like TeRReF's idea - but you may not have that kind of access on some shared webservers.  
0
 
LVL 15

Expert Comment

by:babuno5
ID: 17767164
well the way i do is to have my class file or the file which are to be secured in the/home/http/WEB-INF/ directory and the executable php from the browser i usually keep in the /home/httpd/html/{some application name}/

I hope this helps
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now