SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protecting templates in a CMS-like application

    Hi,

    I am building a web application (PHP) that allows users to create websites choosing some pre-designed templates. The admin area is password protected. Let's say the templates are located in the "templates" folder within the application. A couple of scripts in the application are accessing those template files to make modifications. I was wondering how I could protect that templates folder and all the files in it so that they can't be accessed outside the application (No .htaccess).

    Thanks for any ideas.

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,222
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Store them outside of a web accessible directory and use an absolute path for accessing them

  3. #3
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Store them outside of a web accessible directory and use an absolute path for accessing them
    Thanks for your suggestion but this is not a personal application, it will be distributed. I have been checking WordPress to get some clues because it also has templates. For example, on a WordPress site, when I try to directly access any of the files in the following folder, it gives a Server Error.

    Code:
    http://www.website.com/wp-content/themes/twentyeleven/
    Is that done by .htaccess?

  4. #4
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    I'm not great with server configuration, but putting a .htaccess file in that folder with the single following line, should work. You'll be able to include them into your scripts without problem. The folder just won't be directly browsable. If this doesn't work, double check with somebody in our Server Configuration forum.

    deny from all

  5. #5
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Serenarules View Post
    I'm not great with server configuration, but putting a .htaccess file in that folder with the single following line, should work. You'll be able to include them into your scripts without problem. The folder just won't be directly browsable. If this doesn't work, double check with somebody in our Server Configuration forum.

    deny from all
    Thanks for the suggestion. I know how to protect it via htaccess, I am looking for a solution without .htaccess if possible.

  6. #6
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    If you don't want .htaccess then some good security through obscurity should suffice in this case. Put all templates in a folder with a long random impossible to guess name, for example "/templates_JlABWSFW1HlbghZ57GFo". Store the folder name in some configuration or constant in your application and use it whenever your scripts need to access the files. But make sure that no one - even in the admin area - ever sees the real path to the templates so don't send the folder name to the browser. If you need someone to access a template file in the browser then let them do it through a proxy php script that will authenticate the user and serve the file from the secret folder. Also, suppress any php warnings for the functions you will be using to access the secret folder because if an error occurs (for example in file_get_contents('/templates_JlABWSFW1HlbghZ57GFo/...') or fopen('/templates_JlABWSFW1HlbghZ57GFo/...'), copy(), etc. ) then php may throw a warning outputting the file path to the browser.

    This should be enough for most use cases. You may rename the secret folder periodically.

    As additional security you can also append some random string to each file name you store in the secret folder.

  7. #7
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Oh, and I have yet another solution: store all your templates in files with .php extension and let each file begin with this line:
    PHP Code:
    <?php exit; ?>
    Then make your application ignore the first line. If someone guesses the file name they will not be able to access it.

    Or better yet:
    PHP Code:
    <?php header("HTTP/1.0 404 Not Found"); exit; ?>

  8. #8
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    311
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    Oh, and I have yet another solution: store all your templates in files with .php extension and let each file begin with this line:
    PHP Code:
    <?php exit; ?>
    Then make your application ignore the first line. If someone guesses the file name they will not be able to access it.

    Or better yet:
    PHP Code:
    <?php header("HTTP/1.0 404 Not Found"); exit; ?>
    Thanks for the previous suggestion and this one. Actually, I was inclined to the latter solution but I wasn't sure if I wanted to do that. Is there a shortcut to ignore the first line in a PHP file or do I have to get the file content and filter the first line out?

  9. #9
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nayen View Post
    Is there a shortcut to ignore the first line in a PHP file or do I have to get the file content and filter the first line out?
    None that I know of. Just use fgets() followed by fread().


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •