April 29th, 2003, 05:52 AM
I use PHP code as part of a Web site based at our ISP (Linux based). I have put the code in a directory called "php_libs". Our Web site then calls the relevent PHP code by:
Imagine our URL for the Web site is http://www.example.com
Our directory structure seems to be:
Our ISP has informed us that for our programs based in our Web site to gain access to the php_libs directory, they have needed to put in a "link" inside the www.example.com directory. Therefore to call a program such as example.php, I can use:
This concerns me, as it means any user who guesses correctly the name of a PHP script can run it directly.
Can this situation be avoided at all, as I can't see how it is possible for Apache to know the difference between a "require ("example.php")" command from within a Web site php page or a user accessing the script directly.
Last edited by agblee1970; April 29th, 2003 at 07:27 AM.
April 30th, 2003, 06:06 AM
If you use php scripts to manage content of a site (e.g. add, edit or remove files) you should use some authentication on the directory you keep the scripts in. The easyest way (and a pretty good one too) is to use .htaccess and .htpasswd to protect the directory.
Hpwever if you use the scripts to generate content then i do not understand your concern.
April 30th, 2003, 01:56 PM
Thanks for replying.
The directory contains scripts that the Web sites use AND for maintaining such things as the integrity of the database. Therefore I would like to restrict access to some of the files. Is this possible, or will I need to split the scripts into two seperate directories?
Scripts for generating content should be accessible to all users browsing your site, and therefore should be placed in a usual directory. Maintanace scripts and all other script you wouldn't like the casual user mendling with should be placed in a directory protected by some means. The easiest way is to use HTTP authentication which is quite easy if your hosting provider uses apache. Look in the apache docs for more info.