Jump to content


Photo

External file access


  • Please log in to reply
4 replies to this topic

#1 freelance84

freelance84
  • Members
  • PipPipPip
  • Advanced Member
  • 975 posts
  • LocationUK

Posted 01 July 2010 - 01:41 PM

I'm not sure if this is the correct place for this one, if not i'm sure it will be corrected.

With regards to the PHP-security tutorial:
Section 5 talks about External file access and how everything but the index.php should be removed from the document root... I'm pretty confused and been trying to get my head around this for about 2hrs now, with google searches not really resulting in much.

Firstly, don't all the pages need to be in the public_html or one of its sub-directories?

Also, if something does go wrong and the user does see the directory tree, would they be able to right click and save to file any folder/file they wish? Or are they just simply able to view the different file names?

Please go easy with me one this one, it's all completely new and i'm just struggling to break in.

Thanks,

John

Blogger | Will this really happen?

Everything should be made as simple as possible... but not simpler [A. Einstein]

#2 ChemicalBliss

ChemicalBliss
  • Members
  • PipPipPip
  • Advanced Member
  • 719 posts
  • LocationEarth

Posted 01 July 2010 - 02:01 PM

You can turn Indexes off via a .htaccess file in apache - this would eliminate any way of retrieving a "Directory Listing".
But yes, External files are usually in a folder above the public_html. eg:

www/
  external_includes/
      config.php
  public_html/
      index.php

index.php would have a line like so:
include("../external_includes/config.php");

-cb-
Be Friendly, Gracious, and Helpful.
If you find me especially helpful you can chat to me on AIM/MSN/Yahoo/ICQ/Skype or Astra, Just add me and send a message saying your from PHPFreaks. I may be able to provide Paid Services for certain projects.
My New Geeky Coding Analogy :)
if(human_comprehension($this->cosmos_reality) !== FALSE){
    $this->singularity(); }

#3 freelance84

freelance84
  • Members
  • PipPipPip
  • Advanced Member
  • 975 posts
  • LocationUK

Posted 01 July 2010 - 02:12 PM

Ok, so if I turned Indexes off via the .htaccess, if Apache failed or something else the user would not be able to see anything but a blank page?

What if the Apache or something else failed during the login? Would this display the login.php to user in plain text?
Blogger | Will this really happen?

Everything should be made as simple as possible... but not simpler [A. Einstein]

#4 ChemicalBliss

ChemicalBliss
  • Members
  • PipPipPip
  • Advanced Member
  • 719 posts
  • LocationEarth

Posted 01 July 2010 - 02:20 PM

If apache failed, you would not even get access to the webserver.
If for some reason apache failed to load .htaccess files then yes they could technically get your directory tree, but directory trees arent that big a security threat in itself, it is when you have bad code design when it is a problem. for instance,

index.php
admin/
  delete_db.php

This is a problem that many Shopping Carts and CMS scripts had - these files could be remotely activated by using specific GET requests.
This would allow someone to know where to strike first.

If you truly are worried about your directory tree being viewed, then yes use the external file method as outlined above. But technically you should never need to hide your directory tree, if your worried about security, get people you know (phpfreaks beta test forums is a good place) to try to hack it and close the gaps.

-cb-
Be Friendly, Gracious, and Helpful.
If you find me especially helpful you can chat to me on AIM/MSN/Yahoo/ICQ/Skype or Astra, Just add me and send a message saying your from PHPFreaks. I may be able to provide Paid Services for certain projects.
My New Geeky Coding Analogy :)
if(human_comprehension($this->cosmos_reality) !== FALSE){
    $this->singularity(); }

#5 freelance84

freelance84
  • Members
  • PipPipPip
  • Advanced Member
  • 975 posts
  • LocationUK

Posted 01 July 2010 - 02:25 PM

Ok, thanks for your help. I might just be doing that then as I'm nearly done with my first site


Blogger | Will this really happen?

Everything should be made as simple as possible... but not simpler [A. Einstein]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users