• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

Keeping critical PHP files from being downloaded

PHP files often have critical information.  A vendor's PayPal account information might be in a config.php file, for example.  How are these files protected from download by something like FlashGet?

Thanks
0
steva
Asked:
steva
  • 2
  • 2
  • 2
  • +1
1 Solution
 
owner66Commented:
What hosting platform?
Something like a config.php etc is usually in ./includes, so prohibit directory listing on those folders.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
In apache use .htaccess to forbid access to your includes folder
0
 
TrixorCommented:
If your web-server is configured correctly, it will run the PHP and display the output, not the PHP source code. Just make sure that when called directly: http://example.com/config.php it does not display anything.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
stevaAuthor Commented:
Trixor,

No it doesn't display anything if run directly.  So are you saying that Apache in general won't let you download a .php file?
0
 
TrixorCommented:
Steva,

That is correct.

Just be aware that if your Apache is NOT configured to process PHP, you can download a .php file. But since in most cases Apache is configured this way, you are correct.

0
 
owner66Commented:
Author didn't specifically mention apache-- Example there is no .htaccess in iis. Disable directory browsing.
0
 
stevaAuthor Commented:
I'm running on a Linux/Apache system, so  there is a .htaccess file.  But the .htaccess in  the  directory containing config.php just has some kind of a RewriteRule with a regular expression.  (I have access to the remote directories.)  So it doesn't look like .htaccess is what's blocking download access to the file.  I think Trixor has it.  Apache won't download any php files, no matter where they are.  That's good to know.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now