I have a website where I let staff upload to the /staff/ directory via an upload script that I created.
Now, I don't want them to be able to include files that are in the main website (in the root, or from any other directory for that matter), but still to be able to upload PHP scripts.
Currently it poses a huge security risk as they can include /config.php etc, which if they can guess the variable names, get the database info.
I found something on Google about <directory> - Includes</directory> (to put in .htaccess) which i thought would work, but it gave me an 500 Internal Server Error.
Perhaps I need to 'tell it' that it's a virtual directory (like my user area on the shared server my hosting is on) - so as to limit the access rights.
Please help and tell me how I can limit including of files other than those in the same directory!
Limit access to parent directories
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users