8 replies to this topic

[Orjan]

I actually don't know if thisisright forum, but it does do with php too.

in my system, I have subdirs with includes and other things.
I would like to know how I can prevent users from accessing those dirs directly, nor the content of the dir, but let php include files from there without any problems.

anyone have a good knowledge about the htaccess?


Edit: i could create an index.php, but that will still allow access to the other files...

[mikelbring]

So are you wanting to just hide the directory listing or actually allowing no one to even go to a file in that directory even if they know the route of a file in it? You could use permissions also.

[Orjan]

if i would prohibit directory listing, i could just create an index.php file.

so no, i want to forbid any access to files from the web browsers that
are in that directory but the server should be able to include php files from there.

are you talking about file permissions? then it won't help, as the server must see to include, and what the server can see, the user can acquire if not denied by an .htaccess file.

[Orjan]

haha stupid me

i taught it might be a problem of course, but it is enough to enter a .htaccess file with the content

deny from all

and the php will still read from the file. that's great. i solved it myself.

[mikelbring]

Well I do know IndexIgnore * will make it so the index is forbidden but if they know the directory name of a file they could still go to it.

Quote

are you talking about file permissions? then it won't help, as the server must see to include, and what the server can see, the user can acquire if not denied by an .htaccess file.

I was actually talking about CHMOD.

[Orjan]

mikelbring said:

I was actually talking about CHMOD.

Yes, chmod is file permissions, and that isn't relevant in this case. the only thing that is relevant in this case with file permissions is as usual, that the webserver user can read the files.

but with an htaccess that denies all, it only denies web access to the files, not script access from another directory.

[mikelbring]

Pretty much like you said. Put this in a htaccess in the directory.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

[John]

One technique that I often use for files that I want scripts to access, but not users, is to simply place the scripts above the www directory.

Perhaps my www root directory is /home/john/www/;
If I place a configuration file in /home/john/ then a php file in my www directory can access it by using the direct path /home/john/config.php or just a relative path ../config.php

[Orjan]

yes, but i'm building a tiny webapp that might be installed wherever by whoever, i don't know server setups and stuff, so then it's easier this way to make it pretty safe.