general question on php; if I have an "includes" folder, and on IE somebody...

[mac007]

Hi All:

I have general question on php...

 

if I have an "includes" folder, and on IE somebody goes directly to it, like:

http://www.site.com/includes

on IE, they can see the folder-tree- directory. So, files like config.php, or mysql.php could be visible.

My question is, is this safe?? couldnt people then just drag-copy the file over into their system? or somehow open it, view its contents?

I dragged-copied a .php file into my desktop, but nothing shows up when I open in in notepad. As opposed to opening another file that was also .php but which only had javascript code in it, and the javascipt did show up.

So, I take it, it should be ok?? as it seems like it works as if the .php page actually had been loaded on a web-browser... doesnt show the php code...

 

well, appreciate comments, feedback on this...

what woudl be the best way to protect files like this? htaccess-protect? or is this not something to be overly concerned about??

From what I can tell looks like a lot of site are setup this way... so must be ok... ha?

 

Thanks!

[Buddski]

There are many ways you can protect these directories.. The method I use most is throwing a blank index.html file into the folder so instead of displaying the dir listing the index will load instead

[KevinM1]

Just put critical files above your web root directory.

[mac007]

thanks Bud, night...

 

I see, those are great tips. So, to close this topic... is the fact that they can "see" directory files, coudl they be able to somehow open/view them in any kind way?? I wander how then programs like zen-cart or cre-loaded are able to protect them... cause I believe they are just on root dir...  maybe with a htacces...

[mac007]

ohh.. I wander if a good way to protect then... would be to change the directoty mode to something that only permits exec?? like 666 777 kind of stuff

[Anti-Moronic]

First, no don't chmod these to 666 or 777. 644 should be good.

 

..and no, thankfully, even if somebody knows exactly where these php files are on the server and they are obtainable via web root, they can never download them via http. Of course, they can if they have ftp access (FILE transfer protocol).

 

It is generally good practice to not allow file trees to be viewable at all via http so instead of shoving blank index.html pages all over, use this in your htaccess:

 

IndexIgnore *

 

You can change * to match any file name. The following will disable listing for php and ini files:

 

IndexIgnore *.php *.ini

[Anti-Moronic]

You can get more info here by the way on how you can configure this with htaccess:

 

http://blog.eukhost.com/webhosting/enabledisable-directory-listings-using-htaccess/

[mac007]

WOW, Anti...  the IndexIgnore * was a great suggestion!  That was what I kind of looking for, simple, quick hiding of files.

On the chmod setting of 644, I guess that woudl work OK for non-executing folders like "images" folders, but not for directories where files like config.php resides, right?  From the testing I just did looks like these would need to have at least a chmod of 755??  is that correct?

 

Thanks a lof for your feedback, was very helpful to this newbie!

[Anti-Moronic]

Glad I could help! To be honest, I just checked one of my recent apps to be sure and all my php files are 644 and the app runs fine. Guideline here is that you don't need to allow any *extra* privileges if everything works fine on the minimum. The bare minimum being 644.

 

If I'm right, 7 instead of 6 gives the owner execution rights. But, the confusion is that php is not being executed in this way - the file is being read and parsed. I *think* this is how it works, don't hold me to it. Check it out for yourself to be sure. That's why I would assume the php files work perfect with 644 (without execution rights).

 

Here is some info:

 

http://www.htmlite.com/php042.php

[mac007]

Thanks Anti...  helpful link!

Yeah, I had done some testing on these settings... and when I used the 644 on my includes folder (which had config.php, some mysql-recordset functions), my page woudl give me error; like it wasnt being allowed to process the queries.  But it would allow it to run queries if under setting 755.

 

Thanks!