Jagand Posted September 19, 2012 Share Posted September 19, 2012 Hi, In PHP, I have various directories such as css, inc where I am placing stylesheets and include libraries. I do not want users to either access these directories or files. For example, I do not want users to access http://domain-name.com/inc/example.inc and neither want user to even reach to http://domain-name.com/inc. Can you please let me know? Thank you Quote Link to comment https://forums.phpfreaks.com/topic/268574-security-question-hide-files-and-folders-under-phps-root-directory/ Share on other sites More sharing options...
Christian F. Posted September 19, 2012 Share Posted September 19, 2012 If the users can't access the style sheets, their browsers can't either. Meaning no styles for your site. The best way to protect your include files, however, is to move them out of the web root folder. That way it is quite impossible for the users to access them, since the web server itself cannot access them (other than via your PHP scripts). Quote Link to comment https://forums.phpfreaks.com/topic/268574-security-question-hide-files-and-folders-under-phps-root-directory/#findComment-1379407 Share on other sites More sharing options...
Psycho Posted September 19, 2012 Share Posted September 19, 2012 You should look at this thread: http://forums.phpfreaks.com/index.php?topic=357293.0 You can restrict access to files by using an htaccess file or you can put the files into a folder that is not in the web root. However, you stated that you wanted to do this for css files? CSS, images, JavaScript includes, etc are all requested from the browser. If you do not make them directly accessible you have to build functionality to make it work. So, if you have this in your HTML file <link rel="stylesheet" type="text/css" href="somefolder/style.css" /> . . . and the folder the file in is not accessible directly it will not be loaded by the browser. What you could do though is set the href to something like <link rel="stylesheet" type="text/css" href="getstyle.php?id=3" /> Then you need to build that script to take t he additional parameter, find the correct style sheet, read it into memory, and then spit it back to the client. But, that URL sill has to be web accessible - so you aren't gaining anything. YOu could make some more complicated solutions to ensure the request is coming from a logged in session or something like that, but ultimately CSS, Images, etc are always downloaded to the users PC anyway. It makes perfect sense to restrict direct access to PHP/Config type files that are included in the pages that are directly accessed. But, pages that are accessed because they are included via the HTML page does not make sense. Quote Link to comment https://forums.phpfreaks.com/topic/268574-security-question-hide-files-and-folders-under-phps-root-directory/#findComment-1379410 Share on other sites More sharing options...
Jagand Posted September 19, 2012 Author Share Posted September 19, 2012 Thank you so much! I will limit access restrictions to only inc and other PHP files. Quote Link to comment https://forums.phpfreaks.com/topic/268574-security-question-hide-files-and-folders-under-phps-root-directory/#findComment-1379446 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.