I have a PHP application and I do not want the user to type in the address bar the name of a specific file, for example { example.com/enviar.php }, all my files are called by index.php, how could I avoid direct access to all of them except the index?
Detail: I use the Apache server running on Debian 8.
I use in htaccess of my blog in wordpress the following rule
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
The first part denies access to all .php files and the second one releases access only to index.php
So in my case wordpress if the person tries to access a file like the wp-config.php that stays in the root receives a page warning not found instead of the page.
Can be used on non-wordpress sites as well
You could do this by creating a folder where all of your files are protected and inside that folder you would create a .htaccess file by placing that statement below it, which causes folder access to be forbidden by http request and thus returning a 403 error for the user who tries to access any file inside the folder:
Deny from all
And in the root of your application where the index.php file is, you could put another .htaccess with the following commands, if you want to work with a friendly url:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
Where within the index.php file you would have to handle the $ 1 request argument.
The structure of the folders might look like this:
A safe technique is for directory indentation.
We can also work with other techniques such as defining a constant or the access permission rules for a public folder.
This feature depends on the page server you use.
I consider directory backing safer because it protects both the client side and the server side.
To better understand, imagine a situation where the site owner has access to FTP. But you do not want this guy to have access to system codes. It is recommended not to leave the system as open even to the owner, especially when it is a layman, because fatally one day the subject will tamper with the codes, causing bugs or something more serious.
How to do directory retreat?
In the public folder would have only the index.php file.
In this index.php file, you make an include in a file in a private folder.
Structure example.
/var/www/website.foo/public
/var/www/website.foo/app
/var/www/website.foo/logs
In the example above, the root directory is /var/www/website.foo/public
The index.php file would be inside this directory /var/www/website.foo/public/index.php
All other system .php files, put out the public folder.
/var/www/website.foo/app/foo.php
/var/www/website.foo/app/bar.php
Because this directory is not publicly accessible, you are safe. However, a third person with server access via FTP or SSH can still access the files.
If you want to enforce security, do not give SSH or FTP access to this directory for unauthorized persons.
For the client who wants to have FTP access, release it to access only from the public directory.
The client is still at risk of running php scripts inside the public folder.
For these cases, you can also block PHP scripts from running on the public folder. The problem is that index.php would no longer work.
One solution to this is to create a symbolic link where even the index.php could stay outside the public folder.
In this way we have all files, including index.php, protected both from the visitor and the FTP user.
On Linux systems, the symbolic link can be made as follows:
ln -s "/var/www/website.foo/app/index.php" "/var/www/website.foo/public/index.php"
In Windows environment:
mklink /j "c:\www\website.foo\app\index.php" "c:\www\website.foo\public\index.php"
An obstacle to the use of directory retreat or symbolic link is when the system runs in an environment where we are not allowed to run command lines, and in many cases where it is not even possible to do directory retreat. This situation is common in shared hosting with outdated structure.
For having developed my project procedurally, without using any framework (just a miniframework for session authentication that only works for root archives: /) or design pattern, I ended up going through this dilemma recently, and the best solution I found was putting everything that will not be accessed by http (basically files included by include or require ) in a folder, and .htaccess dela:
deny from all
And in another folder I put what has to be accessed by http (* JS, * CSS, and some html's ) and in the root I put the main files where they are restricted through session. And I think without a% defined_default and a framework, there is not much else to do.
I know this does not answer the question, I just wanted to get past my recent experience before translating (freely with Google help) this excellent answer from SOen :
Are you sure you want to do this? Even with css files, js and of images ...?
OK, first check that
design patternis installed with Apache, and then add the following to yourmod_access:Order Deny,Allow Deny from all Allow from 127.0.0.1 <Files /index.php> Order Allow,Deny Allow from all </Files>The first directive prohibits access to any files except the from localhost, and because of
.htaccess, the The second directive only frees access fromOrder Deny, Allow Allow.Warning: There is no space after the comma in the order line.
[EDIT:]
To allow access to the .css or * .js files using this directive:
<FilesMatch ".*\.(css|js)$"> Order Allow,Deny Allow from all </FilesMatch>You can not use guidelines for
index.phpor<Location>within<Directory>files.One option would be to use
.htaccessaround the group first<FilesMatch ".*\.php$">, and then explicitly allow the access toallow,deny group.