Posted by Phil on 06/01/07 03:09

Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.

Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?

We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.

If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.

Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to

www.somewebsitecom/nonrootdirectory/step2.php.

This approach seems to work, but can a clever web-crawler or
programmer get past it?

Thoughts?

Phil


>>Newsgroups: comp.lang.php
>>From: "Garry Jones" <garry.jo...@morack.se>
>>Date: Wed, 26 Apr 2006 23:53:13 +0200
>>Local: Wed, Apr 26 2006 3:53 pm
>>Subject: Prevent loading of php pages

>>I have a website consisting of php segments.

>>Example

>>page1.html calls in code from seg1.php and seg2.php

>>If the user goes directly to www.mydomain.com/seg1.php they see everything
>>visible to a browser on that page. Can I prevent users from loading individual
>>php segments.

>>The only time that seg1.php should be visible is in its original context on
>>page1.html


>>Garry Jones
>>Sweden


>Jerry Stuckle wrote:

>The document root id the root directory of your website. But it is not the root
>directory of your machine. For instance, your document root might be
>"/var/www/website1/html".

>When you upload them, put them in a directory below the root of your website,
>i.e. "/var/www/website1/myfiles". You can then include this page in your
>other PHP pages with something like (assuming Apache):

> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');

>Anyone accessing a page through http protocol can only access those files in
>your web root. But PHP accesses the file system directly, so it can access any
>file on the system (assuming the appropriate permissions are set).

>==================
>Remove the "x" from my email address
>Jerry Stuckle
>JDS Computer Training Corp.
>jstuck...@attglobal.net
>==================

• Next in forum: Market Your Business Website On Search Engines
• Prev in forum: Get a remote file size
• Thread view: re Prevent loading of php pages

[Reply to this message]