php security-Outside file access

i have read about the security tutorial from this site, about the outside file access, but not too understand, hope experts here can give me a bit explanation.

It all has to do with how you layout your directory structure. So, all files within the document root can be retrieved by the user. Therefore we might as well move everything else out of there so people cannot directly access it. This means we might have index.php and some static files such as CSS, Javascript and images laying inside the document root. We can even take it further and do so the only thing that is in index.php is the following:

 

  1. <?php 

  2. require '../public_index.php'; 

  3. ?> 

i just can't understand with the above code, what it meant? and if we move our php files out of public_html, where should we put them?

what it means is putting your files ABOVE the public_html folder and including them with PHP. since no one can access files above your web root directly (how would they specify the location? http://www.yoursite.com/../file.php?), this forces them to go through the files that include them.

what it means is putting your files ABOVE the public_html folder and including them with PHP.

what is meant with 'including them with PHP'? create a folder called "PHP" then put all the php files inside?

if put the php files above public_html, then how can i link the file? e.g in my index.php(must in public_html?) then how can i called another php file above public_html?

thanks!

i think you'll need to start with a basic tutorial about PHP itself before you delve into this sort of thing. the three lines you posted above are exactly how you'd include a file from above the web root with PHP.

Okay,

Lets say you have a folder structure like this

+folder1

+folder2

+public_html

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

and config.php held this

<?php
$database = "myDB";
$DBUser = "root";
$DBPass = "hidden:p";
?>

Now

http://www.mydomain.com/

will open http://www.yourdomain.com/index.php

but they could do this http://www.yourdomain.com/config.php

Now if PHP is running fine then no problems, BUT

as by Daniel Says:

Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote']

 

So just say php Fails

and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this

http://www.yourdomain.com/config.php

And Oh my they goes your database username and password.. infact they could steal your whole sites code and data!

 

So.. how do we stop this ?

Well they can see everything in public_html,

but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php

ie

<?php
   require '../hidden/index.php'; 
?>

 

 

+folder1

+folder2

+public_html

        index.php <--New index.php file

+hidden

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

 

How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well)

 

hope that helps

Okay,

Lets say you have a folder structure like this

 

+folder1

+folder2

+public_html

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

 

and config.php held this

<?php
$database = "myDB";
$DBUser = "root";
$DBPass = "hidden:p";
?>

 

Now

http://www.mydomain.com/

will open http://www.yourdomain.com/index.php

but they could do this http://www.yourdomain.com/config.php

Now if PHP is running fine then no problems, BUT

 

as by Daniel Says:

Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote']

 

So just say php Fails

and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this

http://www.yourdomain.com/config.php

And Oh my they goes your database username and password.. infact they could steal your whole sites code and data!

 

So.. how do we stop this ?

Well they can see everything in public_html,

but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php

ie

<?php
   require '../hidden/index.php'; 
?>

 

 

+folder1

+folder2

+public_html

        index.php <--New index.php file

+hidden

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

 

How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well)

 

hope that helps

 

really thanks for your very detail explanation...seem i get what you meant now...

 

just need confirmation...

 

so, now inside public_html, i still got an index.php with this code

<?php
   require '../hidden/index.php'; 
?>

 

then, in the same directory with public_html, i got another folder called 'hidden' like

 

public_html

  -index.php

hidden

  -index.php that is called

  -othersphpfiles.php

 

is that i get it right?

 

but, for the url displayed in the browser, what will displayed for when hidden/index.php is called?

www.mysite.com/../hidden/index.php?

 

thanks!

thats correct but you must think on 2 levels, file level access and domain level access

on file level this "/../hidden/index.php" will work

but on a domain level www.mysite.com/ this is root So www.mysite.com/../hidden/index.php wouldn't work  as you can't go back any lowe then root so

www.mysite.com/../hidden/index.php

is the same as

www.mysite.com/hidden/index.php

which will fail

thats correct but you must think on 2 levels, file level access and domain level access

on file level this "/../hidden/index.php" will work

but on a domain level www.mysite.com/ this is root So www.mysite.com/../hidden/index.php wouldn't work  as you can't go back any lowe then root so

www.mysite.com/../hidden/index.php

is the same as

www.mysite.com/hidden/index.php

which will fail

that's meant cannot perform domain level access?

or let me ask in another way, index.php inside public_html has called the index.php inside 'hidden' folder, the page is opened, then what will user see in the browser's url entry?

When hidden/index.php is included PHP will include the file and parsa it as normal, but their is no URL path to the hidden/index.php

When hidden/index.php is included PHP will include the file and parsa it as normal, but their is no URL path to the hidden/index.php

ok, thanks. i'll try it later and hope then i'll more understand it.

oh, ya, another question here...

i have created my own .htaccess, so now i have to move it to 'hidden' folder too?

if yes, how should i modify this line, the path?

php_value error_log /home/mysite/myfolder/php_errors.log

and my hosting did prepare those error file to be displayed when encounter error, like 400.shtml, 401.shtml...need i move them to 'hidden' folder?

thanks again!

OOOOW  keep your error logs out of the public folder...!

i guess like this

php_value error_log /home/hidden/logs/php_errors.log

The .htaccess will reside inside the document root. Apache doesn't care about what your PHP scripts includes, it just wants PHP to parse it because Apache doesn't know PHP. If at all possible you should put it in httpd.conf instead though. It's faster.

i have tried...

but, i faced this problem...

in my index.php(the one reside inside hidden folder), i got a href that called file1.php inside hidden/admin folder, so i just code it as normal like

<a href="admin/file1.php">

but, seem that it fail to link to that file, and attempt to find that file inside public_html...as i have removed it from public_html, so i got 404 not found error...

so, what should i specified in my a href?

thanks!

If your application is fundamentally differently designed, doing what I wrote in the tutorial is obviously not an option. It will only work when you route all requests through one file.

Take this URL for instance: http://www.phpfreaks.com/tutorial/php-security

There is no folder called tutorial and and no folder/file called php-security.

This is the very reason people should look at security from the start instead of right at the end..

In any case, any file that you need to open from the browser side will need to be in the public folder..

HOWEVER..

you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing

<?php
   require '../../hidden/admin/file1.php'; 
?>

that would also work.

BUT as your application hasn't be designed with this in mind, it may get very messy

A better approach would be to have a main control file, that opens each page

ie (basic example)

<?php
$valid = array("Home","Admin","Profile","etc");
if(isset($_GET['Page']) && in_array($_GET['Page'],$valid))
{
   include "../Hidden/".$_GET['Page']".php"
}
?>

This is the very reason people should look at security from the start instead of right at the end..

 

In any case, any file that you need to open from the browser side will need to be in the public folder..

HOWEVER..

you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing

<?php
   require '../../hidden/admin/file1.php'; 
?>

that would also work.

 

BUT as your application hasn't be designed with this in mind, it may get very messy

 

A better approach would be to have a main control file, that opens each page

ie (basic example)

<?php
$valid = array("Home","Admin","Profile","etc");
if(isset($_GET['Page']) && in_array($_GET['Page'],$valid))
{
   include "../Hidden/".$_GET['Page']".php"
}
?>

ya, i understand what you meant here. then i got 2 set of each php file, so will it got any shortcoming in this case? will it slow down the page loading? increase the site storage or any others?

thanks!

If your application is fundamentally differently designed, doing what I wrote in the tutorial is obviously not an option. It will only work when you route all requests through one file.

 

Take this URL for instance: http://www.phpfreaks.com/tutorial/php-security

There is no folder called tutorial and and no folder/file called php-security.

oh, what you meant by route all requests through one file? can give example?

i can't understand this concept... :'(

see my last post it has basic example

see my last post it has basic example

oh, the concept you have given above is 'route all requests through one file'...

i see...

but, how about my question posted above:

so will it got any shortcoming in this case? will it slow down the page loading? increase the site storage or any others?

Nothing springs to mind, the logs will show that index.php is being used a lot, but thats about all!

Nothing springs to mind, the logs will show that index.php is being used a lot, but thats about all!

ok, thanks!

i remember one thing in my previous test, when my index.php(inside hidden folder) include another file in hidden folder too, then the problem of finding file inside public_html mentioned above won't exist, it can just simply link the file without problem...

so, i just want to confirm, is that in the case of include file then no such problem, but if use a href then need to apply the concept you just suggested?

thanks!

Correct

This is the very reason people should look at security from the start instead of right at the end..

 

In any case, any file that you need to open from the browser side will need to be in the public folder..

HOWEVER..

you could use the same trick as above, for example admin/file1.php doesn't exist.. but it could if you create the admin folder and added a file called admin/file1.php containing

<?php
   require '../../hidden/admin/file1.php'; 
?>

that would also work.

 

BUT as your application hasn't be designed with this in mind, it may get very messy

 

A better approach would be to have a main control file, that opens each page

ie (basic example)

<?php
$valid = array("Home","Admin","Profile","etc");
if(isset($_GET['Page']) && in_array($_GET['Page'],$valid))
{
   include "../Hidden/".$_GET['Page']".php"
}
?>

with the second approach, is that meant all my link need to modify from

<a href="admin/myfile1.php"> to

<a href="index.php?page=file1"> ?

that's meant GET will be used for each case to load a page...

i would like to know is that secure to use GET in this case? i need just to code as your suggestion or need to do any other prevention to avoid being hacked in this GET used? as a newbie, i just feel that it's insecure to use GET because i know very little about website security and not sure how to prevent those attack effectively...

The GET is validated via the $valid array, so if something that's not in that array is used it will fail

<?php
$valid = array("Home","Admin","Profile","etc");
if(isset($_GET['Page']) && in_array($_GET['Page'],$valid))
{
   include "../Hidden/".$_GET['Page']".php"
}
?>

you could clean it up a little by also adding default

ie

<?php
$valid = array("Home","Admin","Profile","etc");
if(isset($_GET['Page']) && in_array($_GET['Page'],$valid))
{
   include "../Hidden/".$_GET['Page']".php";
}else{
   include "../Hidden/index.php"; //or failed.php (whatever!)
}
?>

Okay,

Lets say you have a folder structure like this

 

+folder1

+folder2

+public_html

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

 

and config.php held this

<?php
$database = "myDB";
$DBUser = "root";
$DBPass = "hidden:p";
?>

 

Now

http://www.mydomain.com/

will open http://www.yourdomain.com/index.php

but they could do this http://www.yourdomain.com/config.php

Now if PHP is running fine then no problems, BUT

 

as by Daniel Says:

Normally' date=' pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is definitely not good[/quote']

 

So just say php Fails

and someone opens http://www.yourdomain.com/index.php all your index.php code will be displayed, while that may not be too bad they could also do this

http://www.yourdomain.com/config.php

And Oh my they goes your database username and password.. infact they could steal your whole sites code and data!

 

So.. how do we stop this ?

Well they can see everything in public_html,

but just say we create another folder called hidden and move everything their, well it will be hidden but no one can access it.. so we then create a new index.php file in public_html and tell that to use the hidden index.php

ie

<?php
   require '../hidden/index.php'; 
?>

 

 

+folder1

+folder2

+public_html

        index.php <--New index.php file

+hidden

        +classes

                login.php

                logout.php

        +html_files

        index.php

        config.php

 

How while this works well for code its hell for images javascript and CSS, so it maybe an idea to only move code to a out of touch place, (of course if images are private you could use the same idea for them as well)

 

hope that helps

 

So you can include("../hidden/whatever.php"), but you can't <img src="../hidden/whatever.jpg" />?

 

and if so... is there any way at all to put an image in a hidden folder and be able to use it on your webpage without allowing other people to link to it or host it on their sites?

 

same sort of question for javascript and css