doubledee Posted May 14, 2011 Share Posted May 14, 2011 Is there a way to use .htaccess so that people cannot access a file in a directory BUT a PHP script in another directory can Include the file? (I have a sensitive file that I wanted to put outside of httpdocs and then Include it, but the way my VPS is set up, it much harder than anticipated. So maybe using .htaccess is a reasonable workaround?!) Debbie Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/ Share on other sites More sharing options...
PFMaBiSmAd Posted May 14, 2011 Share Posted May 14, 2011 To prevent all http/https requests, put the following into a .htaccess file in the folder - deny from all Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215372 Share on other sites More sharing options...
doubledee Posted May 14, 2011 Author Share Posted May 14, 2011 To prevent all http/https requests, put the following into a .htaccess file in the folder - deny from all But that won't stop me from including it from another location in httpdocs? For example, could I have my Checkout page... httpdocs/secure/checkout.php // Include Authorize.net Values. require_once('/var/www/vhosts/MyWebsite.com/httpdocs/private/auth_config.php'); And then have my keys stored here... httpdocs/private/auth_config.php And have your recommended .htaccess like... httpdocs/private/.htaccess deny from all And have it work as desired? Debbie Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215376 Share on other sites More sharing options...
wildteen88 Posted May 14, 2011 Share Posted May 14, 2011 No this will not affect PHP, only http requests to the private folder, eg if you went to site.com/private/ or site.com/private/file.php it'll return a 403 forbidden error. Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215382 Share on other sites More sharing options...
doubledee Posted May 14, 2011 Author Share Posted May 14, 2011 No this will not affect PHP, only http requests. So how secure is that???? Is it suicide to put my config settings in httpdocs? And really how much security is the .htaccess providing? Debbie Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215384 Share on other sites More sharing options...
PFMaBiSmAd Posted May 14, 2011 Share Posted May 14, 2011 Also, you do realize that php code in a .php file would only expose your credentials if you echoed the values or php was somehow disabled/broken but the web server was still working? Browse to your auth_config.php file and see what you get as output? Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215412 Share on other sites More sharing options...
doubledee Posted May 14, 2011 Author Share Posted May 14, 2011 Also, you do realize that php code in a .php file would only expose your credentials if you echoed the values or php was somehow disabled/broken but the web server was still working? Browse to your auth_config.php file and see what you get as output? I understand that, but what if someone hacked into my VPS? That is what I'm trying to guard against. (Or what is a GoDaddy Tech goes onto my VPS and writes down my Authorize.net ID values?) I guess storing things out of httpdocs won't help there, but I've just always heard that it is *bad* to store things like login credentials in the web root?! I suppose the logic is that it is much easier to hack into httpdocs than the server root. What about encrypting my keys, so if someone ever got though my .htaccess (e.g. a GoDaddy Tech snooping around), then they still couldn't see the actual key values?? Debbie Quote Link to comment https://forums.phpfreaks.com/topic/236403-using-htaccess-to-protect-file/#findComment-1215423 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.