Jump to content

Using .htaccess to protect file


doubledee

Recommended Posts

Is there a way to use .htaccess so that people cannot access a file in a directory BUT a PHP script in another directory can Include the file?

 

(I have a sensitive file that I wanted to put outside of httpdocs and then Include it, but the way my VPS is set up, it much harder than anticipated.  So maybe using .htaccess is a reasonable workaround?!)

 

 

 

Debbie

 

 

Link to comment
Share on other sites

To prevent all http/https requests, put the following into a .htaccess file in the folder -

deny from all

 

But that won't stop me from including it from another location in httpdocs?

 

For example, could I have my Checkout page...

 

httpdocs/secure/checkout.php

// Include Authorize.net Values.
require_once('/var/www/vhosts/MyWebsite.com/httpdocs/private/auth_config.php');

 

 

And then have my keys stored here...

 

httpdocs/private/auth_config.php

 

 

And have your recommended .htaccess like...

 

httpdocs/private/.htaccess

deny from all

 

And have it work as desired?

 

 

 

Debbie

 

Link to comment
Share on other sites

Also, you do realize that php code in a .php file would only expose your credentials if you echoed the values or php was somehow disabled/broken but the web server was still working?

 

Browse to your auth_config.php file and see what you get as output?

Link to comment
Share on other sites

Also, you do realize that php code in a .php file would only expose your credentials if you echoed the values or php was somehow disabled/broken but the web server was still working?

 

Browse to your auth_config.php file and see what you get as output?

 

I understand that, but what if someone hacked into my VPS?

 

That is what I'm trying to guard against.

 

(Or what is a GoDaddy Tech goes onto my VPS and writes down my Authorize.net ID values?)

 

I guess storing things out of httpdocs won't help there, but I've just always heard that it is *bad* to store things like login credentials in the web root?!  :shrug:

 

I suppose the logic is that it is much easier to hack into httpdocs than the server root.

 

What about encrypting my keys, so if someone ever got though my .htaccess (e.g. a GoDaddy Tech snooping around), then they still couldn't see the actual key values??

 

 

Debbie

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.