Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

.htaccess allow only php

Posted on 2013-05-16
7
Medium Priority
?
1,573 Views
Last Modified: 2013-06-03
Im trying to write a .htaccess file which will block access to .inc files on my apache web server.

At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S

So after reading about .htaccess Ive done the following:-
<Files *.inc>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.png>
    Order Deny,Allow 
    Deny from all
</Files>


<Files *.swg>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S

What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


What am I doing wrong?
0
Comment
Question by:tonelm54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172720
Is there a reason your credentials are in an .inc file? They really should be in a PHP file and not in a plain text, downloadable file.  You can include the file with the content below and name it dbConf.php ... it won't show up when someone goes to  http://myserver/dbConf.php
<?php
$userName = "admin";
$passWord = "mypassword";

Open in new window

0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39172738
Standard practice is what darron suggests, make it a *.php file.  You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
0
 

Author Comment

by:tonelm54
ID: 39172746
Ok, done that, which has worked.

What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 7

Expert Comment

by:msifox
ID: 39172775
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.

You could configure your web server to use a different root directory and place the php files with passwords outside of this.

For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
   include '../php/passwords.php'
but the web server will refuse to deliver
   http://../php/password.php

Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
   include '.passwords.php'
but the web server will not show it.
0
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172785
Try this in your .htaccess file

<Files ~ "\.dat$">
	Order allow,deny
	Deny from all
</Files>

Open in new window

0
 
LVL 82

Accepted Solution

by:
hielo earned 2000 total points
ID: 39173003
To allow access only to files with specific extensions try:
Order Deny, Allow
Deny from all
Allow from 127.0.0.1

<FilesMatch "\.(?i:css|js|php|gif|png|jpg)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

Open in new window


To deny access only to files with specific extensions try:
Order Deny, Allow
Allow from all

<FilesMatch "\.(?i:inc|dat|ini|conf)$">
    Order Allow,Deny
   Deny from all
</FilesMatch>

Open in new window

0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39175559
- you seem to deny access on all files, but i guess you noticed already

- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root

then you may want to try

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files *.png>
    Order Deny,Allow
    Allow from all
</Files>


<Files *.swg>
    Order Deny,Allow
    Allow from all
</Files>

or rather

<Files *>
    Order Allow,Deny
    Allow from all
</Files>

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question