Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 8 of 8
  1. #1
    Member
    Join Date
    Jun 2003
    Location
    Madison, WI, USA
    Posts
    30
    Member #
    1590
    Suppose I a have a small script somewhere on my site that accesses the database. I have it laid out as such:

    /myscript/script.php
    /myscript/* (other files)
    /myscript/config/scriptconfig.php

    What do I need to do to protect the scriptconfig.php file from prying eyes (or browsers)? If I browse directly to that directory, I can see the scriptconfig.php file with my browser, but can't retrieve the code. Still, it seems rather unsecure.

    What are the correct chmod settings and .htaccess setup(s) for such a system?

    Thanks!
    futureal@rctech.net | R/C Tech

  2.  

  3. #2
    Senior Member nsr81's Avatar
    Join Date
    Oct 2002
    Posts
    1,132
    Member #
    250
    Liked
    15 times
    1. Make sure that all the contents of config file are surrounded by <? and ?>

    2. You could put a referer check or a global variable check to see if the file was accessed from one of your files or directly.

    e.g. in your script.php, before you include the config file:
    PHP Code:
    define('GOOD'true); 
    and in scriptconfig.php:
    PHP Code:
    if (!defined('GOOD')) {
       
    header('Location: http://www.yoursite.com/script.php');
       exit;

    3. place a " .htaccess " file in the config folder ( if you are running apache) with the following line:
    Code:
    Options -Indexes
    There and Back Again :Ogre:

  4. #3
    WDF Staff Wired's Avatar
    Join Date
    Apr 2003
    Posts
    7,656
    Member #
    1234
    Liked
    137 times
    Also, if you don't want people prying into that folder, palce an index.html file there.
    The Rules
    Was another WDF member's post helpful? Click the like button below the post.

    Admin at houseofhelp.com

  5. #4
    Senior Member nsr81's Avatar
    Join Date
    Oct 2002
    Posts
    1,132
    Member #
    250
    Liked
    15 times
    #3 in my list takes care of that.
    There and Back Again :Ogre:

  6. #5
    WDF Staff Wired's Avatar
    Join Date
    Apr 2003
    Posts
    7,656
    Member #
    1234
    Liked
    137 times
    meh.
    The Rules
    Was another WDF member's post helpful? Click the like button below the post.

    Admin at houseofhelp.com

  7. #6
    Senior Member ajaspers's Avatar
    Join Date
    Apr 2003
    Posts
    149
    Member #
    1150
    If you want to deny access to all files in the config/ directory, just put an .htaccess file there:
    Code:
    Deny from all

  8. #7
    Senior Member rosland's Avatar
    Join Date
    Jul 2003
    Location
    Norway
    Posts
    1,944
    Member #
    2096
    If you create a folder outside your public web-root it won't be accessible from the outside, but you can still call it form within your pages.

    i.e.
    If all your files are placed in public_html (Apache), just create a new folder at the same leve (side by side) with that folder and place your protected pages there. When required in your script, just call them with and absolute adress in your script. (<? include "/home/url/catalog" ?>)

    An intruder would have to hack the server itself to gain access to this folder.
    S. Rosland

  9. #8
    Member
    Join Date
    Jun 2003
    Location
    Madison, WI, USA
    Posts
    30
    Member #
    1590
    Thanks everybody for the comments.

    rosland: I had been previously using something similar to that, but as I am now writing a few scripts that are meant for eventual distribution, I needed to include the config file in the same directory or a subdirectory, just to simplify the installation. Your idea works well, though.

    nsr81: Thanks for the .htaccess tip, I was wondering which command to use for the indices. There are all sorts of places I need to add that to my site.
    futureal@rctech.net | R/C Tech


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 07:42 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com