Re: [e-smith-devinfo] was: webcalendar, now: Apache setup option

Thu, 26 Apr 2001 00:01:22 -0700 

You can create a .htaccess file in the includes directory
put something like

Order Deny,Allow
Deny from all

.htaccess file
http://apachetoday.com/news_story.php3?ltsn=2000-07-19-002-01-NW-LF-SW
Deny directive
http://httpd.apache.org/docs/mod/mod_access.html#allow

In order for this to work the http.conf file must allow this option, all of my esmith 
test boxes are in parts right now so I cannot
check this for you.

Another solution is to end all the includes with .php
This way they will be processed by the php runtime and the user will not see any 
passwords (the entire file is surrounded by <?php
?>, so it would just set the variables and then exit.
Since its too hard to rewrite the app you can add .inc to the files that are run 
through .php

In the http.conf you should see something like

AddType application/x-httpd-php .php

This tells apache that files ending in .php should be handled by the php engine.
Just add
AddType application/x-httpd-php .inc
and all .inc will be treated as php files (ONLY when the browser directly requests 
one, it will not affect how it is included by
other php files)

Let me know what works,

Thanks,
-Aaron Held
http://www.MetroNY.com

ps I've been playing with eSmith for a while now and the first bid with it that I won 
is 'in the mail'. Its nice that I can make a
demo and sale before paying to be a reseller.


----- Original Message -----
From: "Michael Doerner" <[EMAIL PROTECTED]>
To: "devinfo" <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 8:24 PM
Subject: [e-smith-devinfo] was: webcalendar, now: Apache setup option


> I followed Darrell's instructions to set up webcalendar and it worked
> perfect here (thanks Darrell!).
>
> Reading the products own instruction's in the install file point me to a
> http server question:
>
> >>You might want to configure your web server so that users can not access
> the "includes" directory.  For example, if a user typed in the URL for the
> "includes/config.inc" file, they would be able to see your database login
> and password, which is not a good thing.  See your web server documentation
> on how to do this. <<
>
> Can somebody help me with that because I definitely want to avoid any user
> access to the lower directory levels there.
> Where to start reading (which Apache setup parameters might be required),
> etc.?
>
> Thanks for any help.
>
> Kind Regards,
> Michael Doerner
>
>
> --
> This list is archived
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Reply via email to