Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Andrew on May 08, 2003, 04:56:03 AM

Title: Secure PHP apps
Post by: Andrew on May 08, 2003, 04:56:03 AM

I wondering if someone can enlighten me on how I can secure PHP scripts that reside within the /opt location. For example, if I have an app named "phpapp" which is located in /opt/phpapp and there is a config file within that location named "config.inc.php", if I browse to http://www.mydomain.com/phpapp/config.inc.php I am able to view the contents of that file.

How can I configure the app to not "show" the contents of the file?

Thanks in advance.

Title: Re: Secure PHP apps
Post by: Dan Brown on May 08, 2003, 05:14:24 AM

Well, first, PHP should be interpreting that file, so (if it's designed well) it wouldn't display any html to your browser.  Second, in your template fragment, you can do something like this:


  order deny, allow
  deny from all


...if all the config files are in their own directory.  Or even:


  order deny, allow
  deny from all


I'm not so sure about this one, but I think it would work.

Title: Re: Secure PHP apps
Post by: Andrew on May 08, 2003, 06:01:10 AM

Thanks Dan, that did the trick. In my templates I had;


order deny,allow
deny from all


But it was still showing the contents. As soon as I changed line 1 to;


order deny,allow
deny from all


It worked.

Thanks for that.
Andrew.

Title: Re: Secure PHP apps
Post by: Dan Brown on May 08, 2003, 08:10:32 AM

I think another possibility would be .  I'm pretty sure what happened earlier was that the Files directive doesn't take a full path, only a filename.

Title: Re: Secure PHP apps
Post by: Andrew on May 08, 2003, 09:28:24 AM

Thanks for that Dan.