SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to protect directories such as "core", "includes", "images" etc.

    Hi,

    I am building a website with PHP and I was wondering the best way to protect some directories that contain critical files or images etc.

    For example, I have the following directories:

    - /core/ - contains database details file and functions file.
    - /includes/ - contains header, footer, sidebar and other included files.
    - /images/ - contains images and I don't want visitors to be able to list the images as a directory listing.

    I have this .htaccess file in the /core/ folder:

    Code:
    Deny From All
    Shall I add this file to other folders as well? or what else do I need?

  2. #2
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    You could do that, although I wouldn't add that to the images directory (otherwise no one will be able to view your images).
    For the images you probably just need to put an empty index.html file in your images dir. Check out the Apache docs for DirectoryIndex for more information.

  3. #3
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by ademmeda View Post
    Hi,

    I am building a website with PHP and I was wondering the best way to protect some directories that contain critical files or images etc.

    For example, I have the following directories:

    - /core/ - contains database details file and functions file.
    - /includes/ - contains header, footer, sidebar and other included files.
    - /images/ - contains images and I don't want visitors to be able to list the images as a directory listing.

    I have this .htaccess file in the /core/ folder:

    Code:
    Deny From All
    Shall I add this file to other folders as well? or what else do I need?
    Immerse is correct - that's NOT the thing to do!

    core and includes can (should) be moved out of the webspace (above the public_html directory) if at all possible. The best you can do with images (to prevent a listing) is to use the Apache directive for that: Options -Indexes (in the .htaccess file - DocumentRoot would be best as that would cover all your webspace directories).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  4. #4
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your feedback. I have "Options -Indexes" in my root .htaccess file now.

    David, what do you mean by "core and includes can (should) be moved out of the webspace (above the public_html directory) if at all possible."

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    adem,

    Your host likely has you in a directory, say /home/~ademmeda which then has a subdirectory public_html (or www) where your website is located. My recommendation is to move protected files OUT of the public_html (or www) subdirectory into another subdirectory at the same level (in other words, /home/~ademmeda/public_html/core directory would be moved to /home/~ademmeda/core) where it cannot be accessed by an html request. Obviously, php includes and core information can be accessed by your php files (within the website) so things will work perfectly but with your sensitive files protected.

    As immerse pointed out, you can't do that with images as they're accessed via http to display the images in your webpage. You can use PHP links to access the images outside the webspace but, once the image is served, it's available to the world (whereas the content, not the output, of php files are protected by the server's PHP daemon).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  6. #6
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    David, thanks for your advice. Honestly, this is the first time I hear this. Are you trying to say an .htaccess file with "Deny From All" in the "core" folder will not be enough? What I am working on is a CMS and I guess some popular CMS like WordPress have their critical files within their own folder and I think there is no security problems. I know hiding from a bullet behind a double wall is safer than hiding behind a single wall but if a single wall is certain to block the bullet, I guess it will be enough, am I wrong?

    One more thing: Let's say I am on a shared hosting and I have the following folder structure:

    /home/username/core/functions.php
    /home/username/public_html/website/index.php


    How will I include functions.php within index.php?

  7. #7
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    adem,

    A CMS must rely on protected directories and use Apache's permissions to help protect in addition to Options -Indexes and requiring a login to the admin directory (and all its subs). I'd say that's pretty secure but, if you want bulletproof, think about why WP tells you to remove the INSTALL directory.

    For your question, include_once('../core/functions.php'); would do the trick. Otherwise, include_once('/home/username/core/functions.php'); as you have access to the server's entire file system (although you'll lack permissions outside the username directory to access other files).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •