1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Hiding PHP files from HTTP access without .htaccess

Discussion in 'PHP' started by qscomputing, Mar 7, 2005.

  1. #1
    Hi,

    I have a number of PHP "include" files which could potentially pose a security risk if accessed over HTTP. Is there any way to prevent access to these files over HTTP, but without using .htaccess? I still need them to be included in other scripts!

    Thanks,
    - QS Computing.
     
    qscomputing, Mar 7, 2005 IP
  2. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Add something like this to the top of the PHP files which the included php files are called from:
    
    define('SAFE', true);
    
    PHP:
    Then add this to the _top_ of all the included files:
    
    if(!defined('SAFE')) exit('Access Denied!');
    
    PHP:
    Also, it would be good to put an empty index.html file in your includes directory, this way users cannot browse what files are there (they just get an empty page).
     
    nullbit, Mar 7, 2005 IP
    Diamondbacks likes this.
  3. palespyder

    palespyder Psycho Ninja

    Messages:
    1,254
    Likes Received:
    98
    Best Answers:
    0
    Trophy Points:
    168
    #3
    Another way is to create a folder above your web directory, for example:

    your root:

    /home/

    your web:

    /home/public_html/

    put the includes in:

    /home/includes/

    This will make it so they cannot be accessed via the web but your pages have access to them. Or atleast in my experience this works pretty well.
     
    palespyder, Mar 7, 2005 IP
  4. Weirfire

    Weirfire Language Translation Company

    Messages:
    6,979
    Likes Received:
    365
    Best Answers:
    0
    Trophy Points:
    280
    #4
    How do you include the PHP files which are in the /home/includes folder? Could you not create a folder like /home/public_html/includes/ and change the permissions of this folder?
     
    Weirfire, Mar 7, 2005 IP
  5. palespyder

    palespyder Psycho Ninja

    Messages:
    1,254
    Likes Received:
    98
    Best Answers:
    0
    Trophy Points:
    168
    #5
    Weirfire:
    You can do that as well, as for how to include files in /home/includes/

    include_once('../includes/filename.php');
    PHP:
    There are a million different ways to protect your include files. I personally just use the includes folder with permissions set and I also do things like:

    inc.filename.php

    or

    filename.inc
     
    palespyder, Mar 7, 2005 IP
  6. qscomputing

    qscomputing Peon

    Messages:
    44
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I did something like nullbit suggested, but it's still (theorecitally) possible to circumvent it.

    Unfortunately I'm using a cheap host who doesn't give me access to anything above my web directory.

    How would setting permissions work? Surely PHP runs as the same user as the webserver? So if I set -r--r----- then everyone can read the script over the 'net?

    Thanks,
    - QS Computing
     
    qscomputing, Mar 8, 2005 IP
  7. Weirfire

    Weirfire Language Translation Company

    Messages:
    6,979
    Likes Received:
    365
    Best Answers:
    0
    Trophy Points:
    280
    #7
    Can you not set the privelages so that it can't be accessed globally?

    I've never really looked into this but I'd be interested to find out.
     
    Weirfire, Mar 8, 2005 IP
  8. dtan

    dtan Peon

    Messages:
    25
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    I recommend against this. The server will usually return this file as plain text, thus letting the visitor view the code. Most include files are ok if they end in the .php extension. As long as they are parsed by php/apache they should return only the output from the code, and not the code itself.
     
    dtan, Mar 11, 2005 IP
  9. qscomputing

    qscomputing Peon

    Messages:
    44
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #9
    What permissions do I set? r--r--r--?
     
    qscomputing, Mar 12, 2005 IP
  10. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #10
    If it's a shared machine, you are not supposed to access anything above your directory.

    I know you said you didn't want to use .htaccess, but this is really your best option, as it covers pretty much everything from the security point of view. Redirect all requests to files located in the include directory to a 404 handler. There are a few ways to do this. For example, if you keep all your PHP include files in the include directory and your custom error files are in the errors directory, add this line into your .htaccess file:

    RewriteRule ^include/.*$ /errors/404.php [L]
    Code (markup):
    The 404.php file would look like this:

    <?php header("HTTP/1.0 404 Not Found") ?>
    <h1>404 Not Found</h1>
    PHP:
    Permissions are not good for the purposes of hiding include files because your web server will still need to access the files, regardless of the way the file was requested (i.e. HTTP or include). Redirection, on the other hand, only affects how files are accessed over HTTP.

    Also, it is better to return 404 (not found) than 403 (forbidden) because returning 403 will tell the attacker that the file does exist in the protected directory.

    J.D.
     
    J.D., Mar 12, 2005 IP
  11. qscomputing

    qscomputing Peon

    Messages:
    44
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #11
    True, but I thought palespyder was suggesting that I might get a directory in my home directory above my web directory.
    Actually, I can't use .htaccess - my host won't allow it. Hence the problem.

    - QS Computing.
     
    qscomputing, Mar 13, 2005 IP
  12. neterslandreau

    neterslandreau Peon

    Messages:
    279
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Your host does not allow you to create a .htacess file?? I would read my contract and find out how quickly I could dump them. Inexpensive hosting services are a dime a dozen.
     
    neterslandreau, Mar 13, 2005 IP
  13. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Well, some hosting companies do allow you to access a designated directory above the web root (you could create subdirectories there), even in a shared environment. This is done so that you could keep sensitive files, such as a password file for directory authentication, away from web access (you would still be able to access it through PHP). This setup is quite elaborate and I'm not sure how many hosting companies do this.

    I agree with Neters - dump'em.

    J.D.
     
    J.D., Mar 13, 2005 IP
  14. qscomputing

    qscomputing Peon

    Messages:
    44
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #14
    I'm using webspace that comes with my ISP. It's pretty decent hosting - for an ISP, but all of the useful features are pretty much mutually-exclusive.

    I get access to two servers:

    www.qs...: allows me to serve basic HTML and files, .htaccess allowed
    cgi.qs...: CGI, PHP, SSH access etc. less space, no .htaccess

    Any reccomendations of decent (but fairly cheap) hosts?
    - QS Computing.
     
    qscomputing, Mar 13, 2005 IP
  15. neterslandreau

    neterslandreau Peon

    Messages:
    279
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #15
    GoDaddy comes to mind. I know there are people here who host with them so you may to to search the forum to see how it rates.
     
    neterslandreau, Mar 13, 2005 IP
  16. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #16
    You can also check places like www.askwebhosting.com. They allow you to search by price range. Once you found a couple of companies you like, do a search on this forum or through blogs to see what people are saying about them.

    J.D.
     
    J.D., Mar 13, 2005 IP