Topic: Secure PHP apps

[Andrew]

I wondering if someone can enlighten me on how I can secure PHP scripts that reside within the /opt location. For example, if I have an app named "phpapp" which is located in /opt/phpapp and there is a config file within that location named "config.inc.php", if I browse to http://www.mydomain.com/phpapp/config.inc.php I am able to view the contents of that file.

How can I configure the app to not "show" the contents of the file?

Thanks in advance.

[Dan Brown]

Well, first, PHP should be interpreting that file, so (if it's designed well) it wouldn't display any html to your browser.  Second, in your template fragment, you can do something like this:


  order deny, allow
  deny from all


...if all the config files are in their own directory.  Or even:


  order deny, allow
  deny from all


I'm not so sure about this one, but I think it would work.

[Andrew]

Thanks Dan, that did the trick. In my templates I had;


order deny,allow
deny from all


But it was still showing the contents. As soon as I changed line 1 to;


order deny,allow
deny from all


It worked.

Thanks for that.
Andrew.

[Dan Brown]

I think another possibility would be .  I'm pretty sure what happened earlier was that the Files directive doesn't take a full path, only a filename.

[Andrew]

Thanks for that Dan.