Link to home
Create AccountLog in
Avatar of tonelm54
tonelm54

asked on

.htaccess allow only php

Im trying to write a .htaccess file which will block access to .inc files on my apache web server.

At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S

So after reading about .htaccess Ive done the following:-
<Files *.inc>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.png>
    Order Deny,Allow 
    Deny from all
</Files>


<Files *.swg>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S

What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


What am I doing wrong?
Avatar of darron_chapman
darron_chapman
Flag of United States of America image

Is there a reason your credentials are in an .inc file? They really should be in a PHP file and not in a plain text, downloadable file.  You can include the file with the content below and name it dbConf.php ... it won't show up when someone goes to  http://myserver/dbConf.php
<?php
$userName = "admin";
$passWord = "mypassword";

Open in new window

Avatar of Dave Baldwin
Standard practice is what darron suggests, make it a *.php file.  You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
Avatar of tonelm54
tonelm54

ASKER

Ok, done that, which has worked.

What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.

You could configure your web server to use a different root directory and place the php files with passwords outside of this.

For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
   include '../php/passwords.php'
but the web server will refuse to deliver
   http://../php/password.php

Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
   include '.passwords.php'
but the web server will not show it.
Try this in your .htaccess file

<Files ~ "\.dat$">
	Order allow,deny
	Deny from all
</Files>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of hielo
hielo
Flag of Wallis and Futuna image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
- you seem to deny access on all files, but i guess you noticed already

- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root

then you may want to try

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files *.png>
    Order Deny,Allow
    Allow from all
</Files>


<Files *.swg>
    Order Deny,Allow
    Allow from all
</Files>

or rather

<Files *>
    Order Allow,Deny
    Allow from all
</Files>

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>