Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Where to keep my 'public' and 'private' scripts

Hi,

I have a bunch of PHP scripts. Some of them are 'public', meaning they'll be called by the... public, the others are scripts only my C++ application will be calling.

Is there any difference to the way I organize these files on my server - is there any potential harm in keeping public/private scripts in the same folder? Something like:

    www.mysite/app/public_gallery.php
    www.mysite/app/private_secret_spy_data.php

it just seems wrong to keep them in the same location.. any way someone can exploit that?
I'm new to PHP so just seeing if I'm missing anything simple,

Thanks
0
DJ_AM_Juicebox
Asked:
DJ_AM_Juicebox
  • 4
  • 2
1 Solution
 
digital0iced0Commented:
If they are private you can keep them outside of the website root directory so no one can access them.  
0
 
Ray PaseurCommented:
There are two useful ways of dealing with this.

If you have all your public web site stuff in "public_html" you can create another directory on the server outside of public_html, but still under your account.  Let's call it "private_html"

Then when you want to include a script from the private area, you would just say something like this:
<?php 
 
// GET A SCRIPT FROM OUTSIDE WWW ROOT
require_once('../private_html/my_script.php');

Open in new window

0
 
Ray PaseurCommented:
You can also protect the private scripts with a redirect header.  If anyone accidentally tries to execute them directly, they will fail.

HTH, ~Ray
<?php
// DO NOT RUN THIS SCRIPT STANDALONE
if (count(get_included_files()) < 2) { header("HTTP/1.1 301 Moved Permanently"); header("Location: /"); exit; }

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DJ_AM_JuiceboxAuthor Commented:
Hmm yeah on my hosting service I get immediately placed inside public_html, no chance to move up for some reason. I'm not sure if #2 will work because some of the scripts should be executed stand-alone.

I'm curious if you can query a web server for a listing of files, say the user knows I have images here:

    www.mysite.com/images

I have an index.html page in there so the browsers won't show a directory listing.

But can someone write their own client code which simply requests a listing of files in that directory from the web server? Then I'd be in trouble since I might have something like:

    www.mysite.com/images/private.php

in there.

Thanks
0
 
Ray PaseurCommented:
"can someone write their own client code which simply requests a listing of files in that directory"

No, you're OK against that.  But if they know the name of a file in the directory, they can type that into a URL.

You can use .htaccess to protect the directory a little more.  I don't know the details, but I know it can be done.
0
 
DJ_AM_JuiceboxAuthor Commented:
Ok gotcha, thanks.
0
 
Ray PaseurCommented:
Regarding this: "I'm not sure if #2 will work because some of the scripts should be executed stand-alone."

I only use that statement in scripts that I NEVER want to run standalone, such as scripts that I always want to include() or require() - things like the data base connector, where I have my passwords, etc.  None of the other scripts have that, since I want them to be run standalone to generate HTML for my web pages.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now