5 Replies - 4843 Views - Last Post: 04 October 2013 - 10:11 AM

#1 mutago234  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 92
  • Joined: 08-September 13

stop direct access of php files

Posted 03 October 2013 - 05:59 AM

I need to prevent direct access of all the php files but allow only files pass.php

how can i do that

<Files ~ "\.php$">
Order allow,deny
Deny from all
Allow from 127.0.0.1
</Files>
the code only allow access to localhost.

now what if i want to allow access only to

https://www.example....record/pass.php

is it like this

<Files ~ "\.php$">
Order allow,deny
Deny from all
Allow from https://www.example....record/pass.php
</Files>

Is This A Good Question/Topic? 0
  • +

Replies To: stop direct access of php files

#2 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 943
  • View blog
  • Posts: 2,353
  • Joined: 15-February 11

Re: stop direct access of php files

Posted 03 October 2013 - 04:24 PM

If you don't want to allow access to the files then that means they aren't suppose to be public. A simple revamp of your web app's file structure would solve the problem. Picture your public_html folder or your www folder. Whichever folder holds your public files. Scripts have access to the file system so therefore you don't have to worry about not being able to execute or include them if they aren't in a public directory. Here's a sample file structure I use with my web apps.
-/private
----/include (include & required files here)
----/classes
----/config 
-/public_html
----/www (your public files)
--------/images
----index.php (will have access to your /private folder



Another solution is you could place all the PHP files you want to keep "protected" in a directory of their own and configure a htaccess file so that a password is required to gain access to that directory.

Links
Using .htaccess file
Was This Post Helpful? 0
  • +
  • -

#3 mutago234  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 92
  • Joined: 08-September 13

Re: stop direct access of php files

Posted 03 October 2013 - 09:23 PM

That is uploading my files eg /uploads outside /public_html
right.

Can you also comment on this

using 2 Files directives? One to restrict access to all *.php files and then one to allow access to only one?

<Files ~ ".php$">
Order allow,deny
Deny from all
</Files>
<Files "pass.php">
Order allow,deny
Allow from all
</Files>
Was This Post Helpful? 0
  • +
  • -

#4 mutago234  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 92
  • Joined: 08-September 13

Re: stop direct access of php files

Posted 03 October 2013 - 09:42 PM

what if the person just guest the directory link and bypass index.php files residing on public_html

eg https://example.com/i have seen it/steal.php
won't it execute.

I think we need to tell apache not to load directory /web outside root as follows

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>


my problem is that this only work in httpd.config file.

Ok Within my shared hosting account, i don't have access to httpd.config file. I entered the above code inside .htaccess files but is not working. it seems that directory tag is not allow inside .htaccess files<directory> </directory>

1: How can i achieve this using either php.ini or .htaccess
2: Can directory tag works inside .htaccess files
Was This Post Helpful? 0
  • +
  • -

#5 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 943
  • View blog
  • Posts: 2,353
  • Joined: 15-February 11

Re: stop direct access of php files

Posted 04 October 2013 - 08:39 AM

This is what I used to get the results you were looking for. Firstly deny all access to all PHP files then allow access to the index.php file. Works just fine on my test Apache server.
<FilesMatch "\.(php)$">
  deny from all
</FilesMatch>
<Files index.php>
  allow from all
</Files>


I must ask, are you allowing users to upload PHP scripts? Someone could upload their own index.php file. Don't you think?

This post has been edited by codeprada: 04 October 2013 - 08:40 AM

Was This Post Helpful? 0
  • +
  • -

#6 no2pencil  Icon User is offline

  • Head MFIC
  • member icon

Reputation: 5066
  • View blog
  • Posts: 26,449
  • Joined: 10-May 07

Re: stop direct access of php files

Posted 04 October 2013 - 10:11 AM

This is not a question of php coding, but rather web hosoting security through use of .htaccess.

Moving to Web Servers & Hosting.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1