Solved

.htaccess allow only php

Posted on 2013-05-16
7
1,332 Views
Last Modified: 2013-06-03
Im trying to write a .htaccess file which will block access to .inc files on my apache web server.

At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S

So after reading about .htaccess Ive done the following:-
<Files *.inc>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.png>
    Order Deny,Allow 
    Deny from all
</Files>


<Files *.swg>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S

What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


What am I doing wrong?
0
Comment
Question by:tonelm54
7 Comments
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172720
Is there a reason your credentials are in an .inc file? They really should be in a PHP file and not in a plain text, downloadable file.  You can include the file with the content below and name it dbConf.php ... it won't show up when someone goes to  http://myserver/dbConf.php
<?php
$userName = "admin";
$passWord = "mypassword";

Open in new window

0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39172738
Standard practice is what darron suggests, make it a *.php file.  You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
0
 

Author Comment

by:tonelm54
ID: 39172746
Ok, done that, which has worked.

What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 7

Expert Comment

by:msifox
ID: 39172775
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.

You could configure your web server to use a different root directory and place the php files with passwords outside of this.

For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
   include '../php/passwords.php'
but the web server will refuse to deliver
   http://../php/password.php

Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
   include '.passwords.php'
but the web server will not show it.
0
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172785
Try this in your .htaccess file

<Files ~ "\.dat$">
	Order allow,deny
	Deny from all
</Files>

Open in new window

0
 
LVL 82

Accepted Solution

by:
hielo earned 500 total points
ID: 39173003
To allow access only to files with specific extensions try:
Order Deny, Allow
Deny from all
Allow from 127.0.0.1

<FilesMatch "\.(?i:css|js|php|gif|png|jpg)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

Open in new window


To deny access only to files with specific extensions try:
Order Deny, Allow
Allow from all

<FilesMatch "\.(?i:inc|dat|ini|conf)$">
    Order Allow,Deny
   Deny from all
</FilesMatch>

Open in new window

0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39175559
- you seem to deny access on all files, but i guess you noticed already

- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root

then you may want to try

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files *.png>
    Order Deny,Allow
    Allow from all
</Files>


<Files *.swg>
    Order Deny,Allow
    Allow from all
</Files>

or rather

<Files *>
    Order Allow,Deny
    Allow from all
</Files>

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question