#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Posts
    48
    Rep Power
    13

    Security concern


    Hello

    I use PHP code as part of a Web site based at our ISP (Linux based). I have put the code in a directory called "php_libs". Our Web site then calls the relevent PHP code by:
    require ("example.php");

    Imagine our URL for the Web site is http://www.example.com

    Our directory structure seems to be:
    php_libs
    www.example.com

    Our ISP has informed us that for our programs based in our Web site to gain access to the php_libs directory, they have needed to put in a "link" inside the www.example.com directory. Therefore to call a program such as example.php, I can use:
    http://www.example.com/php_libs/example.php

    This concerns me, as it means any user who guesses correctly the name of a PHP script can run it directly.

    Can this situation be avoided at all, as I can't see how it is possible for Apache to know the difference between a "require ("example.php")" command from within a Web site php page or a user accessing the script directly.

    Thanks.
    Last edited by agblee1970; April 29th, 2003 at 07:27 AM.
  2. #2
  3. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Location
    Yerevan, Armenia
    Posts
    224
    Rep Power
    12
    If you use php scripts to manage content of a site (e.g. add, edit or remove files) you should use some authentication on the directory you keep the scripts in. The easyest way (and a pretty good one too) is to use .htaccess and .htpasswd to protect the directory.
    Hpwever if you use the scripts to generate content then i do not understand your concern.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Posts
    48
    Rep Power
    13
    Thanks for replying.

    The directory contains scripts that the Web sites use AND for maintaining such things as the integrity of the database. Therefore I would like to restrict access to some of the files. Is this possible, or will I need to split the scripts into two seperate directories?
  6. #4
  7. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Location
    Yerevan, Armenia
    Posts
    224
    Rep Power
    12
    Scripts for generating content should be accessible to all users browsing your site, and therefore should be placed in a usual directory. Maintanace scripts and all other script you wouldn't like the casual user mendling with should be placed in a directory protected by some means. The easiest way is to use HTTP authentication which is quite easy if your hosting provider uses apache. Look in the apache docs for more info.

IMN logo majestic logo threadwatch logo seochat tools logo