|
Posted by Rory Browne on 10/13/87 11:25
On 8/30/05, Thomas <tomatosh@gmail.com> wrote:
> Hey guys,
>
> Thanks for all the answers. I had not considered leaving the xml file
> outside the webroot (duh!). However, in this case I don't think it would
> work, as the project is working through a svn structure (and some boxes run
> Linux, otherwise Win).
> I thought that the .htaccess would have been the best (apparently not?).
> Anyway, I will give the filtering out of the .whatever a shot.
You can put the rule for filtering out a .whatever into a .htaccess
file, using the code I gave you above. I discouraged the use of
..htaccess because the apache group discourages it for performance
reasons. If you enable .htaccess, then apache has to check every
subdirectory in your webtree for a .htaccess file, which may be a
resource waste.
The simplest solution if you can't rely on an outside-webtree system,
would be to rename your file.whatever to .htfile.whatever, although it
is a bit of a hack, and not portable to other servers. The same can be
said however about .htaccess.
>
> One thing on that: how about portability? What if I didn't have access to
> the httpd.conf file of Apache on the live server? How will I enable such
> rules (without having to bother the server dude, who may or may not like to
> do that)? From that question, .htaccess files seemm the most portable
> solution.
>
> Thanks again.
>
> t
>
> -----Original Message-----
> From: Rory Browne [mailto:rory.browne@gmail.com]
> Sent: 29 August 2005 07:59 PM
> To: Thomas
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Protecing files
>
> Personally I reckon that you should simply place them outside the webroot..
>
> If you are either too lazy to do this, or too paranoid for this alone,
> then you could consider renaming them from filename.xml to
> .ht_filename.xml. There is a section in most default apache config
> files to make filenames beginning with .ht to be unaccessable.
>
> I would recommend against filtering out .xml files. Whilst they may
> only be config files at the minute, you may in future wish to serve up
> xml files. I would instead suggest that you change your naming scheme
> to have config files ending in .conf, .config, .settings, or .set or
> something else non-standard, and fileter out that. A file doesn't have
> to be called something.xml to contain xml.
>
> If for example you want to filter out pages ending in .conf, then you
> could do something like this(assuming my understanding of apache regex
> is correct - big assumption but I'm sure someone will enlighten us if
> it's incorrect):
> <Files ~ ".conf$">
> Order allow,deny
> Deny from all
> </Files>
>
> You could also shove that into a .htaccess file, but apache docs
> recommend against it(or rather they recommend against the enabling of
> .htaccess.
>
>
>
> On 8/29/05, Thomas <thomas.hochstetter@gmx.net> wrote:
> >
> >
> >
> > Hi there,
> >
> > How can I protect all files with extension .xml from being accessed by the
> > outside? For Apache can one use .htaccess (if yes, how?), is there a
> generic
> > way of keeping stalkers from viewing your config files?
> >
> > Thomas
> >
> >
> >
> >
> >
> > SPIRAL EYE STUDIOS
> > P.O. Box 37907, Faerie Glen, 0043
> >
> > Tel: +27 12 362 3486
> > Fax: +27 12 362 3493
> > Mobile: +27 82 442 9228
> > Email: thomas.hochstetter@gmx.net
> > Web: <http://www.spiraleye.co.za> www.spiraleye.co.za
> >
> >
> >
> >
> >
>
>
Navigation:
[Reply to this message]
|