Re: [PHP] Protecting files with PHP
Read this -- it got me well and truely pointed in the right direction http://zend.com/zend/trick/tricks-august-2001.php Justin On Friday, July 18, 2003, at 01:36 AM, Juan Nin wrote: I need to do the same and a .htacces file would not suite the problem I need to do as yahoogroups does When you upload a file to the Files section, it send by default an e-mail to the group members with a link to the file When you click on the link, you're sent to a login page, and after login in you get the file.. how can you achieve this with PHP?? an .htaccess file would deny the access, or ask for a username/passwd at HTTP Server level, and that is not the desired effect.. thnx in advanced, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- [This E-mail scanned for viruses] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Maria Garcia Suarez <[EMAIL PROTECTED]> wrote: > Hi there! > > I'm developing an application to which you can upload > files. Right now the destination folder of those files > is at /public_html/files which makes them visible from > the internet. > > I thought of putting that ./files/ folder outside the > ./public_html/ folder and make those files be only > accessible via PHP pages (if the pages doesn't display > a link to that folder there's no way to download the > file). But, there's any way to keep on having the > ./files/ folder inside ./public_html/ and have those > files protected? Right now to identify users > (authenticate them) I use session variables... it > should be a protection that could be used together > with session variables (assuming your using apache) You can use a .htaccess file to protect the files that are in your public web tree. Although I would not suggest this method for a few reasons: 1. if the .htaccess some how gets modified and changes the deny all rule, your files are open. 2. You (or someone) changes apache conf to not allow support for .htaccess (.htaccess slows web performance) 3. Apache is recompiled without .htaccess support (again performance reasons) 4. Your http process must have write permissions to your public web files. (I suppose a seperate chmod would work but then again see next item) 5. absent mindedness. I would suggest to make the file storage location outside the web tree and have a php script check permissions via your session variables and then send the file. You might want to send a few headers with the file. Content-Type: Content-Length: HTH, Curt -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
I need to do the same and a .htacces file would not suite the problem I need to do as yahoogroups does When you upload a file to the Files section, it send by default an e-mail to the group members with a link to the file When you click on the link, you're sent to a login page, and after login in you get the file.. how can you achieve this with PHP?? an .htaccess file would deny the access, or ask for a username/passwd at HTTP Server level, and that is not the desired effect.. thnx in advanced, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Petre Agenbag wrote: If you place files inside a webfolder, then they are publicly accessible, period. Not true. .htaccess turns a "public" directory into a "private" directory. Even if you know the path and filename you want, without an accepted username/password, you're not getting the file. They might not be obvious, ie. you would have to guess that there are files in a specific folder AND know the exact name of the file, but if you do happen to guess correct, then the files are downloadable. There are ways to still have files in "public" folders and have a measure of extra protection, but that is up to your webserver, and not PHP. Not true. You can easily write php code to secure either certain areas, or the entire web site. Use .htaccess to place a username/password on the folder, or better yet, you can use ftp, but then you place the files outside the webfolder. PHP has built in ftp functions that would allow you to create a pretty secure system to give access to files. FTP bad. Friends don't let friends use FTP. And this isn't a security measure. What's to stop me from bypassing your PHP code, and just FTP'ing directly into your site? Long of the short is, there are numerous ways to secure an area of your site. PHP, .htaccess, web server configuration, any combination of the three. However, the quickest, dirtiest, and most "good enough for government" way would be .htaccess On Thu, 2003-07-17 at 15:58, Maria Garcia Suarez wrote: Hi there! I'm developing an application to which you can upload files. Right now the destination folder of those files is at /public_html/files which makes them visible from the internet. I thought of putting that ./files/ folder outside the ./public_html/ folder and make those files be only accessible via PHP pages (if the pages doesn't display a link to that folder there's no way to download the file). But, there's any way to keep on having the ./files/ folder inside ./public_html/ and have those files protected? Right now to identify users (authenticate them) I use session variables... it should be a protection that could be used together with session variables Thanks a lot. Kisses, Maria __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
If you place files inside a webfolder, then they are publicly accessible, period. They might not be obvious, ie. you would have to guess that there are files in a specific folder AND know the exact name of the file, but if you do happen to guess correct, then the files are downloadable. There are ways to still have files in "public" folders and have a measure of extra protection, but that is up to your webserver, and not PHP. Use .htaccess to place a username/password on the folder, or better yet, you can use ftp, but then you place the files outside the webfolder. PHP has built in ftp functions that would allow you to create a pretty secure system to give access to files. On Thu, 2003-07-17 at 15:58, Maria Garcia Suarez wrote: > Hi there! > > I'm developing an application to which you can upload > files. Right now the destination folder of those files > is at /public_html/files which makes them visible from > the internet. > > I thought of putting that ./files/ folder outside the > ./public_html/ folder and make those files be only > accessible via PHP pages (if the pages doesn't display > a link to that folder there's no way to download the > file). But, there's any way to keep on having the > ./files/ folder inside ./public_html/ and have those > files protected? Right now to identify users > (authenticate them) I use session variables... it > should be a protection that could be used together > with session variables > > Thanks a lot. > > Kisses, > Maria > > __ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Place a .htaccess in the files directory denying all access to it, and also possibly redirecting them to a login page. However since your users should never know about the files/ directory there is no real point :) Then code a PHP script to serve the files just in the same way you would if they were outside of the public_html. Since your PHP script will be reading the files from the file system they will have no problem accessing the files and serving them out. Hope that helps. Andrew - Original Message - From: "Maria Garcia Suarez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 17, 2003 2:58 PM Subject: [PHP] Protecting files with PHP > Hi there! > > I'm developing an application to which you can upload > files. Right now the destination folder of those files > is at /public_html/files which makes them visible from > the internet. > > I thought of putting that ./files/ folder outside the > ./public_html/ folder and make those files be only > accessible via PHP pages (if the pages doesn't display > a link to that folder there's no way to download the > file). But, there's any way to keep on having the > ./files/ folder inside ./public_html/ and have those > files protected? Right now to identify users > (authenticate them) I use session variables... it > should be a protection that could be used together > with session variables > > Thanks a lot. > > Kisses, > Maria > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
If the script is readable by the web server (which it must be in order to be parsed) and the web server only runs as one user (which it usually does) then your scripts will be readable by other users on the same server and anyone with command line or telnet/ssh access will have at least read-only source code access to your application. You generally do not have to worry about other sites seeing your source code because PHP is a server-side language so the source is parsed before any content is sent, you would mostly worry about this if a misconfiguration on the server resulted in .php files being sent as some other content type and not being parsed by PHP. Jason On Tue, 2003-02-18 at 00:00, Nate wrote: > I wonder though, if they're on a the same server but different sites. Like a > shared host environment. Aw the things the bewilder the mind. > > Nate > > "Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message > 01c2d710$81a68e20$6301a8c0@ukiuki">news:01c2d710$81a68e20$6301a8c0@ukiuki... > > That is called Cross-Site Scripting (XSS). > > I have not been able to get access to the variables via an XSS exploit. > > It appears that Apache renders the php code before sending off the > > requesting include function. > > > > I also like the .htaccess way of preventing user access to the scripts. > > This is also worthy of further investigation. > > > > Bryan > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
I wonder though, if they're on a the same server but different sites. Like a shared host environment. Aw the things the bewilder the mind. Nate "Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message 01c2d710$81a68e20$6301a8c0@ukiuki">news:01c2d710$81a68e20$6301a8c0@ukiuki... > That is called Cross-Site Scripting (XSS). > I have not been able to get access to the variables via an XSS exploit. > It appears that Apache renders the php code before sending off the > requesting include function. > > I also like the .htaccess way of preventing user access to the scripts. > This is also worthy of further investigation. > > Bryan > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files
That is called Cross-Site Scripting (XSS). I have not been able to get access to the variables via an XSS exploit. It appears that Apache renders the php code before sending off the requesting include function. I also like the .htaccess way of preventing user access to the scripts. This is also worthy of further investigation. Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
Just something that crossed my mind a few times. What if another website includes this file in their own php page. That site can't access those variables can they? (I'm sure PHP wouldn't allow that but I need to put this curiousity to rest) Nate "Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message 005301c2d6dd$47a11250$6301a8c0@ukiuki">news:005301c2d6dd$47a11250$6301a8c0@ukiuki... > > >How can I protect my php files among other files like templates > >(.inc) and mysql config (config.inc) files being copied/read/imported > >(front page)/used by other applications other than my site... > >can this be done by htaccess? is so , could anyone point me into right > >direction? > > > I have renamed my sensitive (those containing l/p for mail and mysql) > files to .php and constructed them to render a blank page if ever > directly called. > > Something like this: > All the sensitive code > $db_login = "user"; > $db_pwd = "password"; > $mail_login = "mail"; > $mail_pwd = "pass"; > ?> > > > > > I do not think that -r to everyone would work in that Apache still needs > to read the file when included by another script. > > Still looking for a better way. What concerns me the most is if a code > disclosure bug is later discovered in 4.3.0 or another version. > > Bryan > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
The issue here is that Apache is running as a single user, so that single user must be able to read all php scripts it wants to parse. So, putting the files in non htdocs directory can help a little, but Apache still can read them, if anyone else on the server asks apache to. The real way to protect files is with permissions, AND using some sort of CGI wrapper or SuExe. That allows each virtual host in Apache to run as the user that owns the files. That way you can say "Only my apache user can read my files" so all the other hosts on the site can't have apache reading your files. The problem is, although I'm still foggy on this, is that these cgi wrappers and SuExe ONLY work with cgi application. So, if you run php as an Apache module, the wrappers won't work. If I'm wrong about that, please let me know. There are some user notes about this here: http://www.php.net/manual/sl/function.fopen.php HTH, Peter Janett New Media One Web Services http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 - Original Message - From: "Justin French" <[EMAIL PROTECTED]> To: "Pax" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 5:40 PM Subject: Re: [PHP] Protecting files > My preference > > 1. if possible, store the files above your public_html directory (doc > root)... this means they cannot be over http:// by apache, if that isn't > possible: > > 2. use .htaccess to either block the entire directory of includes, or all > *.inc files, or whatever you think is best. Personally, I block *.inc > across all my sites, via a .htaccess file in the doc root: > > > Order Allow,Deny > Deny from all > > > 3. I don't think permissions (chmod) of the file will help much, since > apache needs to read the files for them to be included... you should make > sure that other users on the server cannot include() your .inc files from > their account... if they can, find a new ISP ASAP, because they're obviously > DUMB. > > > I personally don't like the idea of naming all inc files *.php, because > there is a CHANCE that they might be executed out of context (imagine if you > had an include file which (stupidly) worked fine within the context of your > whole site, but accidentally deleted a whole table of data if executed on > it's own... YUK!!). > > The upside of naming them .php is that if the server's sys admin accidently > takes away permission for .htaccess files, or you accidentally delete your > own .htaccess file, you're still protected. > > > Perhaps you could consider BOTH: > > > Order Allow,Deny > Deny from all > > > ... this will prevent them being served at all... in the event that the > .htaccess is deleted or disabled, you can rest easy that PHP will parse > them, so that they cannot see the raw file. > > > By the way, this has been discussed in the archives MANY times, so do some > background research first... or even right now :) > > > Justin > > > > on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote: > > > Hello, > > > > How can I protect my php files among other files like templates > > (.inc) and mysql config (config.inc) files being copied/read/imported (front > > page)/used by other applications other than my > > site... > > > > can this be done by htaccess? is so , could anyone point me into right > > direction? > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
My preference 1. if possible, store the files above your public_html directory (doc root)... this means they cannot be over http:// by apache, if that isn't possible: 2. use .htaccess to either block the entire directory of includes, or all *.inc files, or whatever you think is best. Personally, I block *.inc across all my sites, via a .htaccess file in the doc root: Order Allow,Deny Deny from all 3. I don't think permissions (chmod) of the file will help much, since apache needs to read the files for them to be included... you should make sure that other users on the server cannot include() your .inc files from their account... if they can, find a new ISP ASAP, because they're obviously DUMB. I personally don't like the idea of naming all inc files *.php, because there is a CHANCE that they might be executed out of context (imagine if you had an include file which (stupidly) worked fine within the context of your whole site, but accidentally deleted a whole table of data if executed on it's own... YUK!!). The upside of naming them .php is that if the server's sys admin accidently takes away permission for .htaccess files, or you accidentally delete your own .htaccess file, you're still protected. Perhaps you could consider BOTH: Order Allow,Deny Deny from all ... this will prevent them being served at all... in the event that the .htaccess is deleted or disabled, you can rest easy that PHP will parse them, so that they cannot see the raw file. By the way, this has been discussed in the archives MANY times, so do some background research first... or even right now :) Justin on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote: > Hello, > > How can I protect my php files among other files like templates > (.inc) and mysql config (config.inc) files being copied/read/imported (front > page)/used by other applications other than my > site... > > can this be done by htaccess? is so , could anyone point me into right > direction? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
Try putting your files config files in a directory outside of the root web directory and access the files via the include_path directive in the php.ini file. If you dont have access you can add create a .htaccess file or set the configuration in a php script that is run before your other scripts. http://www.php.net/manual/en/configuration.changes.php http://www.php.net/manual/en/function.ini-set.php That should help you out. Ray On Mon, 2003-02-17 at 14:17, PR wrote: > Hello, > > How can I protect my php files among other files like templates > (.inc) and mysql config (config.inc) files being copied/read/imported (front > page)/used by other applications other than my > site... > > can this be done by htaccess? is so , could anyone point me into right > direction? > > -- > Thank you, > Paul > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files
CAPS >How can I protect my php files among other files like templates >(.inc) and mysql config (config.inc) files being copied/read/imported >(front page)/used by other applications other than my site... >can this be done by htaccess? is so , could anyone point me into right >direction? I have renamed my sensitive (those containing l/p for mail and mysql) files to .php and constructed them to render a blank page if ever directly called. Something like this: NO NEED TO PUT THE HTML TAGS IN.. I do not think that -r to everyone would work in that Apache still needs to read the file when included by another script. Still looking for a better way. What concerns me the most is if a code disclosure bug is later discovered in 4.3.0 or another version. I WOULDNT WORRY TOO MUCH - THIS IS PRETTY BASIC. BTW: IF YOU PROTECT FILES WITH HTACCESS AND YOU NEED TO INCLUDE SOME OF THEM TO SERVE PAGES (IE: CONNECT TO DB,ETC) THEN THE USER WILL BE PROMPTED FOR A PASSWORD. YOU WONT WANT THIS. Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files
>How can I protect my php files among other files like templates >(.inc) and mysql config (config.inc) files being copied/read/imported >(front page)/used by other applications other than my site... >can this be done by htaccess? is so , could anyone point me into right >direction? I have renamed my sensitive (those containing l/p for mail and mysql) files to .php and constructed them to render a blank page if ever directly called. Something like this: I do not think that -r to everyone would work in that Apache still needs to read the file when included by another script. Still looking for a better way. What concerns me the most is if a code disclosure bug is later discovered in 4.3.0 or another version. Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files
>How can I protect my php files among other files like templates >(.inc) and mysql config (config.inc) files being copied/read/imported >(front page)/used by other applications other than my site... >can this be done by htaccess? is so , could anyone point me into right >direction? I have renamed my sensitive (those containing l/p for mail and mysql) files to .php and constructed them to render a blank page if ever directly called. Something like this: I do not think that -r to everyone would work in that Apache still needs to read the file when included by another script. Still looking for a better way. What concerns me the most is if a code disclosure bug is later discovered in 4.3.0 or another version. Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files
If you want to hide the content of an .inc or other file that contains PHP code simply rename it with a .php ie: config.inc becomes config.inc.php the server will parse the file as PHP now and not allow users to download it... Alternatively you can protect a directory with a .htaccess file if you are using apache. See: http://httpd.apache.org/docs/howto/htaccess.html -Original Message- From: PR [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 18 February 2003 8:18 AM To: Subject: [PHP] Protecting files Hello, How can I protect my php files among other files like templates (.inc) and mysql config (config.inc) files being copied/read/imported (front page)/used by other applications other than my site... can this be done by htaccess? is so , could anyone point me into right direction? -- Thank you, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
On Mon, 17 Feb 2003 15:32:31 -0600 (CST), Greg Donald <[EMAIL PROTECTED]> wrote: On Mon, 17 Feb 2003, PR wrote: How can I protect my php files among other files like templates (.inc) and mysql config (config.inc) files being copied/read/imported (front page)/used by other applications other than my site... can this be done by htaccess? is so , could anyone point me into right direction? The best way is to not allow anyone else access to your files to begin with. I assume you mean you are in a shared hosting environment? Your system administrators can and should have permissions setup so no one can mess with your stuff by default. If that is not the case, I'd move. What kind of system is it? If it's unix you can make use of chown and chmod to protect your stuff. If it's windows, I don't know. How can a user protect their files with chmod? You're PHP script runs as the web server's user. Calling the php script and telling it to browse the files on the server would give you access to read other users' data. Or am I wrong? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files
On Mon, 17 Feb 2003, PR wrote: >How can I protect my php files among other files like templates >(.inc) and mysql config (config.inc) files being copied/read/imported (front >page)/used by other applications other than my >site... > >can this be done by htaccess? is so , could anyone point me into right >direction? The best way is to not allow anyone else access to your files to begin with. I assume you mean you are in a shared hosting environment? Your system administrators can and should have permissions setup so no one can mess with your stuff by default. If that is not the case, I'd move. What kind of system is it? If it's unix you can make use of chown and chmod to protect your stuff. If it's windows, I don't know. -- Greg Donald http://destiney.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files in PHP
> I have some files off of the web root which I'd like to be able to serve > up > to users (*.doc, *.xls). I know I can do this with header(), but how do I > reference a file that's outside of the webroot? Thanks! You can use an absolute or relative path, just like any other reference. Send the appropriate headers and then use readfile() to send the data. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protecting files
On Monday 29 October 2001 07:37 am, you wrote: > what is the script that was mentioned a while back that you use to > allow apache access to a directory that has all world/group access > turned off. I php-cgiwrap. --kurt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]