can access files OUTSIDE of the document root?

Posted on 2010-01-05
Last Modified: 2013-12-14
On a website I have moved some secure data from under the document root...

e.g. <our partition on apache webserver>\www\<some directory>

to a more secure position that is NOT under the document root..

e.g. <our partition on apache webserver>\secure\<some directory>

..the idea being to stop canny users who might know/guess the path from being able to browse to the data

Now I've just realised that in our admin pages of the website we have javascript code that tries to access this data (legitimately, since its behind a login screen for admins), but it uses the following:

<a href="javascript: ;" onClick="'<path to secure data>','_blank','scrollbars=yes,menubar=no,resizable=yes,location=no,width=500,height=520,screenX=50,screenY=50;left=50;top=50;');">View File</a>

I'm presuming this won't work for precisely the right reasons, i.e. we are trying to access the secure data via a webrowser, using HTTP, and since its not under the document root any more, we can't get to it.

Is this right?

Is there a way to access this file using javascript here, and STILL keep it where it is (presumably) secure, or will we have to resort to PHP (etc.)'s file uploading/downloading library ?

many thanks!

Question by:zorba111
    LVL 75

    Accepted Solution

    You will no longer be able to access the files if you access them via the web server
    You can of course access the files via the file system if your admin pages are IN that file system

    Author Comment

    Hi mplungian, thanks for that!

    The files are not in a file system accessible from the browser as they ae in a remote server (but I can get into it via tools provided by the hosting company)

    Is there a good book / article / source that explains all this ?
    i.e. what FTP can see, what HTTP can see - how to protect files etc. ?

    LVL 75

    Assisted Solution

    by:Michel Plungjan

    Author Closing Comment

    only thing stopped me giving an A was: I would have preferred more explanation

    ...but overall, very pleased.

    thank you 1

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    TechValidate Research on Citrix NetScaler

    Are you looking for an ADC. See what people like you say about Citrix NetScaler. Visit this site to find TechFacts, Charts and Case Studies.

    This article discusses the difference between strict equality operator and equality operator in JavaScript. The Need: Because JavaScript performs an implicit type conversion when performing comparisons, we have to take this into account when wri…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now