How to prevent direct access to my PHP code?

13

I have a PHP application and I do not want the user to type in the address bar the name of a specific file, for example { example.com/enviar.php }, all my files are called by index.php, how could I avoid direct access to all of them except the index?

Detail: I use the Apache server running on Debian 8.

    
asked by anonymous 19.11.2015 / 00:53

4 answers

8

I use in htaccess of my blog in wordpress the following rule

<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

<Files index.php>
    Order Allow,Deny
    Allow from all
</Files>

The first part denies access to all .php files and the second one releases access only to index.php

So in my case wordpress if the person tries to access a file like the wp-config.php that stays in the root receives a page warning not found instead of the page.

  

Can be used on non-wordpress sites as well

    
19.11.2015 / 01:11
4

You could do this by creating a folder where all of your files are protected and inside that folder you would create a .htaccess file by placing that statement below it, which causes folder access to be forbidden by http request and thus returning a 403 error for the user who tries to access any file inside the folder:

Deny from all

And in the root of your application where the index.php file is, you could put another .htaccess with the following commands, if you want to work with a friendly url:

RewriteEngine on

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]

Where within the index.php file you would have to handle the $ 1 request argument.

The structure of the folders might look like this:

    
19.11.2015 / 01:13
4

A safe technique is for directory indentation.

We can also work with other techniques such as defining a constant or the access permission rules for a public folder.

This feature depends on the page server you use.

I consider directory backing safer because it protects both the client side and the server side.

To better understand, imagine a situation where the site owner has access to FTP. But you do not want this guy to have access to system codes. It is recommended not to leave the system as open even to the owner, especially when it is a layman, because fatally one day the subject will tamper with the codes, causing bugs or something more serious.

How to do directory retreat?

In the public folder would have only the index.php file.

In this index.php file, you make an include in a file in a private folder.

Structure example.

/var/www/website.foo/public
/var/www/website.foo/app
/var/www/website.foo/logs

In the example above, the root directory is /var/www/website.foo/public

The index.php file would be inside this directory /var/www/website.foo/public/index.php

All other system .php files, put out the public folder.

/var/www/website.foo/app/foo.php
/var/www/website.foo/app/bar.php

Because this directory is not publicly accessible, you are safe. However, a third person with server access via FTP or SSH can still access the files.

If you want to enforce security, do not give SSH or FTP access to this directory for unauthorized persons.

For the client who wants to have FTP access, release it to access only from the public directory.

The client is still at risk of running php scripts inside the public folder.

For these cases, you can also block PHP scripts from running on the public folder. The problem is that index.php would no longer work.

One solution to this is to create a symbolic link where even the index.php could stay outside the public folder.

In this way we have all files, including index.php, protected both from the visitor and the FTP user.

On Linux systems, the symbolic link can be made as follows:

ln -s "/var/www/website.foo/app/index.php"  "/var/www/website.foo/public/index.php"

In Windows environment:

mklink /j "c:\www\website.foo\app\index.php"  "c:\www\website.foo\public\index.php"

An obstacle to the use of directory retreat or symbolic link is when the system runs in an environment where we are not allowed to run command lines, and in many cases where it is not even possible to do directory retreat. This situation is common in shared hosting with outdated structure.

    
19.11.2015 / 01:52
4

For having developed my project procedurally, without using any framework (just a miniframework for session authentication that only works for root archives: /) or design pattern, I ended up going through this dilemma recently, and the best solution I found was putting everything that will not be accessed by http (basically files included by include or require ) in a folder, and .htaccess dela:

deny from all

And in another folder I put what has to be accessed by http (* JS, * CSS, and some html's ) and in the root I put the main files where they are restricted through session. And I think without a% defined_default and a framework, there is not much else to do.

I know this does not answer the question, I just wanted to get past my recent experience before translating (freely with Google help) this excellent answer from SOen :

  

Are you sure you want to do this? Even with css files, js and   of images ...?

     

OK, first check that design pattern is installed with Apache, and   then add the following to your mod_access :

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>
     

The first directive prohibits access to any files except the   from localhost, and because of .htaccess , the   The second directive only frees access from Order Deny, Allow Allow .

     

Warning: There is no space after the comma in the order line.

     

[EDIT:]

     

To allow access to the .css or * .js files using this directive:

<FilesMatch ".*\.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>
     

You can not use guidelines for index.php or <Location>   within <Directory> files.

     

One option would be to use .htaccess around the   group first <FilesMatch ".*\.php$"> , and then explicitly allow the   access to allow,deny group .

    
19.11.2015 / 01:25