Jump to content

Security question. Hide files and folders under PHP's root directory

Jagand

By Jagand
in PHP Coding Help

 Share

Recommended Posts

Jagand Member

Jagand

Posted
Posted

Hi,

 

In PHP, I have various directories such as css, inc where I am placing stylesheets and include libraries. I do not want users to either access these directories or files. For example, I do not want users to access http://domain-name.com/inc/example.inc and neither want user to even reach to http://domain-name.com/inc. Can you please let me know?

 

Thank you

Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

If the users can't access the style sheets, their browsers can't either. Meaning no styles for your site.

 

The best way to protect your include files, however, is to move them out of the web root folder. That way it is quite impossible for the users to access them, since the web server itself cannot access them (other than via your PHP scripts).

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

You should look at this thread: http://forums.phpfreaks.com/index.php?topic=357293.0

 

You can restrict access to files by using an htaccess file or you can put the files into a folder that is not in the web root. However, you stated that you wanted to do this for css files? CSS, images, JavaScript includes, etc are all requested from the browser. If you do not make them directly accessible you have to build functionality to make it work.

 

So, if you have this in your HTML file

<link rel="stylesheet" type="text/css" href="somefolder/style.css" />

 

. . . and the folder the file in is not accessible directly it will not be loaded by the browser. What you could do though is set the href to something like

<link rel="stylesheet" type="text/css" href="getstyle.php?id=3" />

 

Then you need to build that script to take t he additional parameter, find the correct style sheet, read it into memory, and then spit it back to the client. But, that URL sill has to be web accessible - so you aren't gaining anything. YOu could make some more complicated solutions to ensure the request is coming from a logged in session or something like that, but ultimately CSS, Images, etc are always downloaded to the users PC anyway.

 

It makes perfect sense to restrict direct access to PHP/Config type files that are included in the pages that are directly accessed. But, pages that are accessed because they are included via the HTML page does not make sense.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.