mac007 Posted December 12, 2010 Share Posted December 12, 2010 Hi All: I have general question on php... if I have an "includes" folder, and on IE somebody goes directly to it, like: http://www.site.com/includes on IE, they can see the folder-tree- directory. So, files like config.php, or mysql.php could be visible. My question is, is this safe?? couldnt people then just drag-copy the file over into their system? or somehow open it, view its contents? I dragged-copied a .php file into my desktop, but nothing shows up when I open in in notepad. As opposed to opening another file that was also .php but which only had javascript code in it, and the javascipt did show up. So, I take it, it should be ok?? as it seems like it works as if the .php page actually had been loaded on a web-browser... doesnt show the php code... well, appreciate comments, feedback on this... what woudl be the best way to protect files like this? htaccess-protect? or is this not something to be overly concerned about?? From what I can tell looks like a lot of site are setup this way... so must be ok... ha? Thanks! Quote Link to comment Share on other sites More sharing options...
Buddski Posted December 12, 2010 Share Posted December 12, 2010 There are many ways you can protect these directories.. The method I use most is throwing a blank index.html file into the folder so instead of displaying the dir listing the index will load instead Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted December 12, 2010 Share Posted December 12, 2010 Just put critical files above your web root directory. Quote Link to comment Share on other sites More sharing options...
mac007 Posted December 12, 2010 Author Share Posted December 12, 2010 thanks Bud, night... I see, those are great tips. So, to close this topic... is the fact that they can "see" directory files, coudl they be able to somehow open/view them in any kind way?? I wander how then programs like zen-cart or cre-loaded are able to protect them... cause I believe they are just on root dir... maybe with a htacces... Quote Link to comment Share on other sites More sharing options...
mac007 Posted December 12, 2010 Author Share Posted December 12, 2010 ohh.. I wander if a good way to protect then... would be to change the directoty mode to something that only permits exec?? like 666 777 kind of stuff Quote Link to comment Share on other sites More sharing options...
Anti-Moronic Posted December 12, 2010 Share Posted December 12, 2010 First, no don't chmod these to 666 or 777. 644 should be good. ..and no, thankfully, even if somebody knows exactly where these php files are on the server and they are obtainable via web root, they can never download them via http. Of course, they can if they have ftp access (FILE transfer protocol). It is generally good practice to not allow file trees to be viewable at all via http so instead of shoving blank index.html pages all over, use this in your htaccess: IndexIgnore * You can change * to match any file name. The following will disable listing for php and ini files: IndexIgnore *.php *.ini Quote Link to comment Share on other sites More sharing options...
Anti-Moronic Posted December 12, 2010 Share Posted December 12, 2010 You can get more info here by the way on how you can configure this with htaccess: http://blog.eukhost.com/webhosting/enabledisable-directory-listings-using-htaccess/ Quote Link to comment Share on other sites More sharing options...
mac007 Posted December 12, 2010 Author Share Posted December 12, 2010 WOW, Anti... the IndexIgnore * was a great suggestion! That was what I kind of looking for, simple, quick hiding of files. On the chmod setting of 644, I guess that woudl work OK for non-executing folders like "images" folders, but not for directories where files like config.php resides, right? From the testing I just did looks like these would need to have at least a chmod of 755?? is that correct? Thanks a lof for your feedback, was very helpful to this newbie! Quote Link to comment Share on other sites More sharing options...
Anti-Moronic Posted December 12, 2010 Share Posted December 12, 2010 Glad I could help! To be honest, I just checked one of my recent apps to be sure and all my php files are 644 and the app runs fine. Guideline here is that you don't need to allow any *extra* privileges if everything works fine on the minimum. The bare minimum being 644. If I'm right, 7 instead of 6 gives the owner execution rights. But, the confusion is that php is not being executed in this way - the file is being read and parsed. I *think* this is how it works, don't hold me to it. Check it out for yourself to be sure. That's why I would assume the php files work perfect with 644 (without execution rights). Here is some info: http://www.htmlite.com/php042.php Quote Link to comment Share on other sites More sharing options...
mac007 Posted December 13, 2010 Author Share Posted December 13, 2010 Thanks Anti... helpful link! Yeah, I had done some testing on these settings... and when I used the 644 on my includes folder (which had config.php, some mysql-recordset functions), my page woudl give me error; like it wasnt being allowed to process the queries. But it would allow it to run queries if under setting 755. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.