orange08 Posted June 18, 2009 Share Posted June 18, 2009 i have read about the security tutorial from this site, about the outside file access, but not too understand, hope experts here can give me a bit explanation. It all has to do with how you layout your directory structure. So, all files within the document root can be retrieved by the user. Therefore we might as well move everything else out of there so people cannot directly access it. This means we might have index.php and some static files such as CSS, Javascript and images laying inside the document root. We can even take it further and do so the only thing that is in index.php is the following: 1. <?php 2. require '../public_index.php'; 3. ?> i just can't understand with the above code, what it meant? and if we move our php files out of public_html, where should we put them? Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/ Share on other sites More sharing options...
akitchin Posted June 18, 2009 Share Posted June 18, 2009 what it means is putting your files ABOVE the public_html folder and including them with PHP. since no one can access files above your web root directly (how would they specify the location? http://www.yoursite.com/../file.php?), this forces them to go through the files that include them. Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858949 Share on other sites More sharing options...
orange08 Posted June 18, 2009 Author Share Posted June 18, 2009 what it means is putting your files ABOVE the public_html folder and including them with PHP. what is meant with 'including them with PHP'? create a folder called "PHP" then put all the php files inside? if put the php files above public_html, then how can i link the file? e.g in my index.php(must in public_html?) then how can i called another php file above public_html? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858955 Share on other sites More sharing options...
akitchin Posted June 18, 2009 Share Posted June 18, 2009 i think you'll need to start with a basic tutorial about PHP itself before you delve into this sort of thing. the three lines you posted above are exactly how you'd include a file from above the web root with PHP. Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858958 Share on other sites More sharing options...
MadTechie Posted June 18, 2009 Share Posted June 18, 2009 Okay, Lets say you have a folder structure like this +folder1 +folder2 +public_html +classes login.php logout.php +html_files index.php config.php and config.php held this <?php $database = "myDB"; $DBUser = "root"; $DBPass = "hidden:p"; ?> Now http://www.mydomain.com/ will open http://www.yourdomain.com/index.php but they could do this http://www.yourdomain.com/config.php Now if PHP is running fine then no problems, BUT as by Daniel Says: Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote'] So just say php Fails and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this http://www.yourdomain.com/config.php And Oh my they goes your database username and password.. infact they could steal your whole sites code and data! So.. how do we stop this ? Well they can see everything in public_html, but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php ie <?php require '../hidden/index.php'; ?> +folder1 +folder2 +public_html index.php <--New index.php file +hidden +classes login.php logout.php +html_files index.php config.php How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well) hope that helps Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858960 Share on other sites More sharing options...
orange08 Posted June 18, 2009 Author Share Posted June 18, 2009 Okay, Lets say you have a folder structure like this +folder1 +folder2 +public_html +classes login.php logout.php +html_files index.php config.php and config.php held this <?php $database = "myDB"; $DBUser = "root"; $DBPass = "hidden:p"; ?> Now http://www.mydomain.com/ will open http://www.yourdomain.com/index.php but they could do this http://www.yourdomain.com/config.php Now if PHP is running fine then no problems, BUT as by Daniel Says: Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote'] So just say php Fails and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this http://www.yourdomain.com/config.php And Oh my they goes your database username and password.. infact they could steal your whole sites code and data! So.. how do we stop this ? Well they can see everything in public_html, but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php ie <?php require '../hidden/index.php'; ?> +folder1 +folder2 +public_html index.php <--New index.php file +hidden +classes login.php logout.php +html_files index.php config.php How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well) hope that helps really thanks for your very detail explanation...seem i get what you meant now... just need confirmation... so, now inside public_html, i still got an index.php with this code <?php require '../hidden/index.php'; ?> then, in the same directory with public_html, i got another folder called 'hidden' like public_html -index.php hidden -index.php that is called -othersphpfiles.php is that i get it right? but, for the url displayed in the browser, what will displayed for when hidden/index.php is called? www.mysite.com/../hidden/index.php? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858967 Share on other sites More sharing options...
MadTechie Posted June 18, 2009 Share Posted June 18, 2009 thats correct but you must think on 2 levels, file level access and domain level access on file level this "/../hidden/index.php" will work but on a domain level www.mysite.com/ this is root So www.mysite.com/../hidden/index.php wouldn't work as you can't go back any lowe then root so www.mysite.com/../hidden/index.php is the same as www.mysite.com/hidden/index.php which will fail Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858970 Share on other sites More sharing options...
orange08 Posted June 18, 2009 Author Share Posted June 18, 2009 thats correct but you must think on 2 levels, file level access and domain level access on file level this "/../hidden/index.php" will work but on a domain level www.mysite.com/ this is root So www.mysite.com/../hidden/index.php wouldn't work as you can't go back any lowe then root so www.mysite.com/../hidden/index.php is the same as www.mysite.com/hidden/index.php which will fail that's meant cannot perform domain level access? or let me ask in another way, index.php inside public_html has called the index.php inside 'hidden' folder, the page is opened, then what will user see in the browser's url entry? Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858975 Share on other sites More sharing options...
MadTechie Posted June 18, 2009 Share Posted June 18, 2009 When hidden/index.php is included PHP will include the file and parsa it as normal, but their is no URL path to the hidden/index.php Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858985 Share on other sites More sharing options...
orange08 Posted June 18, 2009 Author Share Posted June 18, 2009 When hidden/index.php is included PHP will include the file and parsa it as normal, but their is no URL path to the hidden/index.php ok, thanks. i'll try it later and hope then i'll more understand it. oh, ya, another question here... i have created my own .htaccess, so now i have to move it to 'hidden' folder too? if yes, how should i modify this line, the path? php_value error_log /home/mysite/myfolder/php_errors.log and my hosting did prepare those error file to be displayed when encounter error, like 400.shtml, 401.shtml...need i move them to 'hidden' folder? thanks again! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858991 Share on other sites More sharing options...
MadTechie Posted June 18, 2009 Share Posted June 18, 2009 OOOOW keep your error logs out of the public folder...! i guess like this php_value error_log /home/hidden/logs/php_errors.log Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-858996 Share on other sites More sharing options...
Daniel0 Posted June 18, 2009 Share Posted June 18, 2009 The .htaccess will reside inside the document root. Apache doesn't care about what your PHP scripts includes, it just wants PHP to parse it because Apache doesn't know PHP. If at all possible you should put it in httpd.conf instead though. It's faster. Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-859028 Share on other sites More sharing options...
orange08 Posted June 20, 2009 Author Share Posted June 20, 2009 i have tried... but, i faced this problem... in my index.php(the one reside inside hidden folder), i got a href that called file1.php inside hidden/admin folder, so i just code it as normal like <a href="admin/file1.php"> but, seem that it fail to link to that file, and attempt to find that file inside public_html...as i have removed it from public_html, so i got 404 not found error... so, what should i specified in my a href? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860196 Share on other sites More sharing options...
Daniel0 Posted June 20, 2009 Share Posted June 20, 2009 If your application is fundamentally differently designed, doing what I wrote in the tutorial is obviously not an option. It will only work when you route all requests through one file. Take this URL for instance: http://www.phpfreaks.com/tutorial/php-security There is no folder called tutorial and and no folder/file called php-security. Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860206 Share on other sites More sharing options...
MadTechie Posted June 20, 2009 Share Posted June 20, 2009 This is the very reason people should look at security from the start instead of right at the end.. In any case, any file that you need to open from the browser side will need to be in the public folder.. HOWEVER.. you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing <?php require '../../hidden/admin/file1.php'; ?> that would also work. BUT as your application hasn't be designed with this in mind, it may get very messy A better approach would be to have a main control file, that opens each page ie (basic example) <?php $valid = array("Home","Admin","Profile","etc"); if(isset($_GET['Page']) && in_array($_GET['Page'],$valid)) { include "../Hidden/".$_GET['Page']".php" } ?> Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860207 Share on other sites More sharing options...
orange08 Posted June 20, 2009 Author Share Posted June 20, 2009 This is the very reason people should look at security from the start instead of right at the end.. In any case, any file that you need to open from the browser side will need to be in the public folder.. HOWEVER.. you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing <?php require '../../hidden/admin/file1.php'; ?> that would also work. BUT as your application hasn't be designed with this in mind, it may get very messy A better approach would be to have a main control file, that opens each page ie (basic example) <?php $valid = array("Home","Admin","Profile","etc"); if(isset($_GET['Page']) && in_array($_GET['Page'],$valid)) { include "../Hidden/".$_GET['Page']".php" } ?> ya, i understand what you meant here. then i got 2 set of each php file, so will it got any shortcoming in this case? will it slow down the page loading? increase the site storage or any others? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860213 Share on other sites More sharing options...
orange08 Posted June 20, 2009 Author Share Posted June 20, 2009 If your application is fundamentally differently designed, doing what I wrote in the tutorial is obviously not an option. It will only work when you route all requests through one file. Take this URL for instance: http://www.phpfreaks.com/tutorial/php-security There is no folder called tutorial and and no folder/file called php-security. oh, what you meant by route all requests through one file? can give example? i can't understand this concept... :'( Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860215 Share on other sites More sharing options...
MadTechie Posted June 20, 2009 Share Posted June 20, 2009 see my last post it has basic example Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860216 Share on other sites More sharing options...
orange08 Posted June 20, 2009 Author Share Posted June 20, 2009 see my last post it has basic example oh, the concept you have given above is 'route all requests through one file'... i see... but, how about my question posted above: so will it got any shortcoming in this case? will it slow down the page loading? increase the site storage or any others? Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860220 Share on other sites More sharing options...
MadTechie Posted June 20, 2009 Share Posted June 20, 2009 Nothing springs to mind, the logs will show that index.php is being used a lot, but thats about all! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860227 Share on other sites More sharing options...
orange08 Posted June 20, 2009 Author Share Posted June 20, 2009 Nothing springs to mind, the logs will show that index.php is being used a lot, but thats about all! ok, thanks! i remember one thing in my previous test, when my index.php(inside hidden folder) include another file in hidden folder too, then the problem of finding file inside public_html mentioned above won't exist, it can just simply link the file without problem... so, i just want to confirm, is that in the case of include file then no such problem, but if use a href then need to apply the concept you just suggested? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860232 Share on other sites More sharing options...
MadTechie Posted June 20, 2009 Share Posted June 20, 2009 Correct Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-860334 Share on other sites More sharing options...
orange08 Posted June 23, 2009 Author Share Posted June 23, 2009 This is the very reason people should look at security from the start instead of right at the end.. In any case, any file that you need to open from the browser side will need to be in the public folder.. HOWEVER.. you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing <?php require '../../hidden/admin/file1.php'; ?> that would also work. BUT as your application hasn't be designed with this in mind, it may get very messy A better approach would be to have a main control file, that opens each page ie (basic example) <?php $valid = array("Home","Admin","Profile","etc"); if(isset($_GET['Page']) && in_array($_GET['Page'],$valid)) { include "../Hidden/".$_GET['Page']".php" } ?> with the second approach, is that meant all my link need to modify from <a href="admin/myfile1.php"> to <a href="index.php?page=file1"> ? that's meant GET will be used for each case to load a page... i would like to know is that secure to use GET in this case? i need just to code as your suggestion or need to do any other prevention to avoid being hacked in this GET used? as a newbie, i just feel that it's insecure to use GET because i know very little about website security and not sure how to prevent those attack effectively... Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-861968 Share on other sites More sharing options...
MadTechie Posted June 23, 2009 Share Posted June 23, 2009 The GET is validated via the $valid array, so if something that's not in that array is used it will fail <?php $valid = array("Home","Admin","Profile","etc"); if(isset($_GET['Page']) && in_array($_GET['Page'],$valid)) { include "../Hidden/".$_GET['Page']".php" } ?> you could clean it up a little by also adding default ie <?php $valid = array("Home","Admin","Profile","etc"); if(isset($_GET['Page']) && in_array($_GET['Page'],$valid)) { include "../Hidden/".$_GET['Page']".php"; }else{ include "../Hidden/index.php"; //or failed.php (whatever!) } ?> Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-861986 Share on other sites More sharing options...
smerny Posted August 19, 2009 Share Posted August 19, 2009 Okay, Lets say you have a folder structure like this +folder1 +folder2 +public_html +classes login.php logout.php +html_files index.php config.php and config.php held this <?php $database = "myDB"; $DBUser = "root"; $DBPass = "hidden:p"; ?> Now http://www.mydomain.com/ will open http://www.yourdomain.com/index.php but they could do this http://www.yourdomain.com/config.php Now if PHP is running fine then no problems, BUT as by Daniel Says: Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote'] So just say php Fails and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this http://www.yourdomain.com/config.php And Oh my they goes your database username and password.. infact they could steal your whole sites code and data! So.. how do we stop this ? Well they can see everything in public_html, but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php ie <?php require '../hidden/index.php'; ?> +folder1 +folder2 +public_html index.php <--New index.php file +hidden +classes login.php logout.php +html_files index.php config.php How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well) hope that helps So you can include("../hidden/whatever.php"), but you can't <img src="../hidden/whatever.jpg" />? and if so... is there any way at all to put an image in a hidden folder and be able to use it on your webpage without allowing other people to link to it or host it on their sites? same sort of question for javascript and css Quote Link to comment https://forums.phpfreaks.com/topic/162768-php-security-outside-file-access/#findComment-901539 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.