Manny Posted March 4, 2012 Share Posted March 4, 2012 I'm in the process of creating a new website and when I upload files to the server, they are automatically given permissions of 644. Now, there are some files that are only on the server to be included as parts of others (ie, config and source files). As I am unsure, I thought I would ask. If a user discovered the URL for the config file, the results would display in their browser. So, my question is, what permissions must I set in order for the file(s) to run as part of other scripts, but appear as unauthorised should it be typed into a browser? Link to comment Share on other sites More sharing options...
boen_robot Posted March 4, 2012 Share Posted March 4, 2012 This is not a chmod setting. It's a configuration file setting.The easiest way to hide the file is to simply place it outside of the document root (most hosts have a "public_html" folder that is the document root, and allow you to have your own folders one level above). PHP runs on the server, so it can find files outside of the document root. This will give a 404 error instead of a 403 one though.If for whatever reason you can't do that, you need to tell the server not to give the file. Assuming your web server is Apache, create a file called ".htaccess" in your document root, and in it, have something like: <Files "config.php">Order Deny, AllowDeny from All</Files> If the file is a PHP one (as in the example above), you could also write a similar logic into the file itself, like: <?phpif (count(get_included_files()) === 1) { header('Status: 403 Forbidden'); //Content of the error page exit();}//Your configuration file?> Link to comment Share on other sites More sharing options...
Manny Posted March 4, 2012 Author Share Posted March 4, 2012 I'm currently using IF statements similar to what you mentioned, but was wondering if I could do what I wanted using CHMOD. If I can't, then I'll have to live with that. Inside my public_html folder, I have an includes directory. As you can guess, these get included into the PHP files of the site but I don't want users to get direct access to them. What can I do to the .htaccess file to prevent browser access to the entire directory. I put the <files> code in my .htaccess file and the site began to display a 500 error code. Link to comment Share on other sites More sharing options...
boen_robot Posted March 4, 2012 Share Posted March 4, 2012 Sorry, my bad. There should be no quotes around the filename...If you're going to forbid access to the whole directory, you need to use <Directory> in place of <Files>.Also, looking at the docs, it seems <Directory> is actually forbidden in .htaccess files. Oh well... Place the .htaccess file in the includes directory, and have the following in it Order Deny, AllowDeny from All Link to comment Share on other sites More sharing options...
Manny Posted March 4, 2012 Author Share Posted March 4, 2012 I think that's done the trick. If you don't hear back from me then it means I've got no complaints! :Happy: Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.