freelance84 Posted July 1, 2010 Share Posted July 1, 2010 I'm not sure if this is the correct place for this one, if not i'm sure it will be corrected. With regards to the PHP-security tutorial: Section 5 talks about External file access and how everything but the index.php should be removed from the document root... I'm pretty confused and been trying to get my head around this for about 2hrs now, with google searches not really resulting in much. Firstly, don't all the pages need to be in the public_html or one of its sub-directories? Also, if something does go wrong and the user does see the directory tree, would they be able to right click and save to file any folder/file they wish? Or are they just simply able to view the different file names? Please go easy with me one this one, it's all completely new and i'm just struggling to break in. Thanks, John Quote Link to comment https://forums.phpfreaks.com/topic/206394-external-file-access/ Share on other sites More sharing options...
ChemicalBliss Posted July 1, 2010 Share Posted July 1, 2010 You can turn Indexes off via a .htaccess file in apache - this would eliminate any way of retrieving a "Directory Listing". But yes, External files are usually in a folder above the public_html. eg: www/ external_includes/ config.php public_html/ index.php index.php would have a line like so: include("../external_includes/config.php"); -cb- Quote Link to comment https://forums.phpfreaks.com/topic/206394-external-file-access/#findComment-1079695 Share on other sites More sharing options...
freelance84 Posted July 1, 2010 Author Share Posted July 1, 2010 Ok, so if I turned Indexes off via the .htaccess, if Apache failed or something else the user would not be able to see anything but a blank page? What if the Apache or something else failed during the login? Would this display the login.php to user in plain text? Quote Link to comment https://forums.phpfreaks.com/topic/206394-external-file-access/#findComment-1079699 Share on other sites More sharing options...
ChemicalBliss Posted July 1, 2010 Share Posted July 1, 2010 If apache failed, you would not even get access to the webserver. If for some reason apache failed to load .htaccess files then yes they could technically get your directory tree, but directory trees arent that big a security threat in itself, it is when you have bad code design when it is a problem. for instance, index.php admin/ delete_db.php This is a problem that many Shopping Carts and CMS scripts had - these files could be remotely activated by using specific GET requests. This would allow someone to know where to strike first. If you truly are worried about your directory tree being viewed, then yes use the external file method as outlined above. But technically you should never need to hide your directory tree, if your worried about security, get people you know (phpfreaks beta test forums is a good place) to try to hack it and close the gaps. -cb- Quote Link to comment https://forums.phpfreaks.com/topic/206394-external-file-access/#findComment-1079700 Share on other sites More sharing options...
freelance84 Posted July 1, 2010 Author Share Posted July 1, 2010 Ok, thanks for your help. I might just be doing that then as I'm nearly done with my first site Quote Link to comment https://forums.phpfreaks.com/topic/206394-external-file-access/#findComment-1079701 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.