Re: [PHP] how to hide dbconnect file if its in published directory?
well... i don't think there should be any problem if the included file is a class (right???) come to think about it, is it possible to create an object by passing a url like this: file.inc?file=new mysqlfile-conn() i mean would this run the class?? regards At 05:00 14/07/01, Rasmus Lerdorf wrote: there should not be any problem if your web server is configured to parse .inc extentions as PHP, in wich case, even if the file is called separately, the server will strip php tags and send normal html output. Once again, don't do this. If you write your .inc files assuming they are going to be running in the context of a larger framework where they are included into you are likely to miss things that could be a security problem if they are run by themselves via something like: file.inc?file=/etc/passswd You are better off letting people see the source code to your .inc file as opposed to letting people execute them out of context. Obviously the most secure way is to simply put all your include files outside of your document_root so they can't be accessed directly. Or, alternatively add a simple rule to your httpd.conf: Files ~ \.inc$ Order allow,deny Deny from all /Files -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
there should not be any problem if your web server is configured to parse .inc extentions as PHP, in wich case, even if the file is called separately, the server will strip php tags and send normal html output. regards At 00:11 10/07/01, Noah Spitzer-Williams wrote: Hey guys, I come for advice once again. Say i have a file dbconnect.inc which connects to my database. Now if this file is located in a directory accessible for to the web is there anyway that if someone types in that file i can detect it being accessed, instead of included, and redirect them elsewhere? Thanks guys! - Noah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
there should not be any problem if your web server is configured to parse .inc extentions as PHP, in wich case, even if the file is called separately, the server will strip php tags and send normal html output. Once again, don't do this. If you write your .inc files assuming they are going to be running in the context of a larger framework where they are included into you are likely to miss things that could be a security problem if they are run by themselves via something like: file.inc?file=/etc/passswd You are better off letting people see the source code to your .inc file as opposed to letting people execute them out of context. Obviously the most secure way is to simply put all your include files outside of your document_root so they can't be accessed directly. Or, alternatively add a simple rule to your httpd.conf: Files ~ \.inc$ Order allow,deny Deny from all /Files -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] how to hide dbconnect file if its in published directory?
try putting an .htaccess file into that directory. or (as someone else already suggested) tell apache to disallow access to *.inc files (or to the entire directory) -Original Message- From: Noah Spitzer-Williams [mailto:[EMAIL PROTECTED]] Subject: [PHP] how to hide dbconnect file if its in published directory? Hey guys, I come for advice once again. Say i have a file dbconnect.inc which connects to my database. Now if this file is located in a directory accessible for to the web is there anyway that if someone types in that file i can detect it being accessed, instead of included, and redirect them elsewhere? Thanks guys! - Noah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
On Tuesday 10 July 1979 12:39 am, [EMAIL PROTECTED] wrote: on 7/10/01 12:30 AM, John Weaver at [EMAIL PROTECTED] wrote: Sorry, I should have been more clear. If you write modular code, your included file will be nothing but a group of functions. Call a file with nothing but functions in it and you get; HTMLHEAD/HEAD/HTML. I can't see the security problem you refer to. Ahhh! I have this problem now ... do you put the ?php ? tags on an inc file? If not how do you keep people from reading it? Yes, I include the php tags so that PHP will parse it as php code. -- Regards, John Weaver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
Hi Thomas!
On Tue, 10 Jul 2001, Thomas David Kehoe wrote:
include ('http://www.friendshipcenter.com/Objects/swordfish.inc');
echo Your password is , PASSWORD;
it works, i.e., prints Your password is swordfish.
When I use the following lines
include ('http://www.friendshipcenter.com/Objects/swordfish.php');
echo Your password is , PASSWORD;
it doesn't work, i.e., prints Your password is PASSWORD.
I tried putting swordfish.inc in my cgi-bin directory, which is outside my
www directory. I can't figure out what pathname to call it with. I.e.,
include ('cgi-bin/swordfish.inc');
wai' wai' waitasecond!
gosh :)
you're including your inc file via web just cause you couldn't figure the path
via file system? Well, this way anybody can read it.
I rent server space from phpwebhosting.com, so I can't change the PHP
settings.
I'm about to deploy a B2B there too, and I can give you a hint on the path.
your home is ~account == $HOME
your web is under $HOME/www/
like starting w/ $ are shell commands
now, create a dir inc like that:
$ mkdir ~/phpinc
put your password file there
$ echo ?php define('PASSWORD','@#complicated'); ~/phpinc/password.php
move to ~/www/
$ cd ~/www
create a file named test.php by editing it with vim or something
say:
?php
define ('PHPINC',dirname(__FILE__).'/../phpinc');
include (PHPINC.'/password.php');
echo Password is: , PASSWORD;
-end edit-
The fist line defines where is the directory with PHP files that are out
of any visitor sight. Nobody should reach them via web unless you do something
silly in your PHP programs (i.e. trust user supplied data)
Now request test.php via your browser. It should work.
$ lynx http://www.yourdomain.com/test.php
Nobody can read your password file, cause it's outside web root (in this case
under $HOME/phpinc)
cheers,
-- teodor
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
On Thu, 1 Jan 1970 09:30, [EMAIL PROTECTED] wrote:
I come for advice once again. Say i have a file dbconnect.inc
which connects to my database. Now if this file is located in a
directory accessible for to the web is there anyway that if someone
types in that file i can detect it being accessed, instead of
included, and redirect them elsewhere?
Thanks guys!
- Noah
Sure, try putting a quick if statement at the top checking for the
$PHP_SELF. If it's dbconnect.inc, then have it die with a message...
if($PHP_SELF == 'dbconnect.inc') { die{Access Denied!); }
Also, I know that my server isn't set to parse .inc files, and it shows
the source of them. For that reason, I renamed all my include files to
.php.
rick
http://techno-weenie.com
Of course, if your server has the capability, you could always set it not
to serve .inc files.
Apache:
# Keep from serving .inc files anywhere in the DocumentRoot structure
LocationMatch .*\.inc$
Order allow,deny
Deny from all
/LocationMatch
--
David Robley Techno-JoaT, Web Maintainer, Mail List Admin, etc
CENTRE FOR INJURY STUDIES Flinders University, SOUTH AUSTRALIA
Oxymoron: Safe Sex.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
On Monday 09 July 2001 06:11 pm, Noah Spitzer-Williams wrote: Hey guys, I come for advice once again. Say i have a file dbconnect.inc which connects to my database. Now if this file is located in a directory accessible for to the web is there anyway that if someone types in that file i can detect it being accessed, instead of included, and redirect them elsewhere? Thanks guys! - Noah The best compromise I have seen is to name your file - somefile.inc.php -- Regards, John Weaver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
I come for advice once again. Say i have a file dbconnect.inc which connects to my database. Now if this file is located in a directory accessible for to the web is there anyway that if someone types in that file i can detect it being accessed, instead of included, and redirect them elsewhere? Thanks guys! - Noah The best compromise I have seen is to name your file - somefile.inc.php No, don't do that. Protect *.inc files from being accessed by adding a rule like this to your httpd.conf: Files ~ \.inc$ Order allow,deny Deny from all /Files If you name include files with a .php extension and these files are designed to be used as included files then loading them directly out of context could be a security problem. You are much better off naming your files some non-PHP extension and blocking all direct access to these files, or better yet, put your include files somewhere outside your document_root. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
I usually have a directory called html where all my php files are and
secure where any secure stuff (like db connects) reside. Then, all I do
is include the file
require('../secure/secure.inc');
Obviously html maps to a web server path but secure doesn't.
Mark
John Weaver wrote:
On Monday 09 July 2001 06:11 pm, Noah Spitzer-Williams wrote:
Hey guys,
I come for advice once again. Say i have a file dbconnect.inc which
connects to my database. Now if this file is located in a directory
accessible for to the web is there anyway that if someone types in that
file i can detect it being accessed, instead of included, and redirect them
elsewhere?
Thanks guys!
- Noah
The best compromise I have seen is to name your file - somefile.inc.php
--
Mark Ferraretto Phone: +61 8 8396 2448
Ferraretto IT ServicesFax: +61 8 8396 7176
26 Observation Drive Mobile: +61 407 959 719
Highbury SA 5089Email: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
Australia ICQ: 64748102
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in published directory?
On Tuesday 10 July 2001 12:02 am, Rasmus Lerdorf wrote: I come for advice once again. Say i have a file dbconnect.inc which connects to my database. Now if this file is located in a directory accessible for to the web is there anyway that if someone types in that file i can detect it being accessed, instead of included, and redirect them elsewhere? Thanks guys! - Noah The best compromise I have seen is to name your file - somefile.inc.php No, don't do that. Protect *.inc files from being accessed by adding a rule like this to your httpd.conf: Files ~ \.inc$ Order allow,deny Deny from all /Files If you name include files with a .php extension and these files are designed to be used as included files then loading them directly out of context could be a security problem. You are much better off naming your files some non-PHP extension and blocking all direct access to these files, or better yet, put your include files somewhere outside your document_root. -Rasmus Sorry, I should have been more clear. If you write modular code, your included file will be nothing but a group of functions. Call a file with nothing but functions in it and you get; HTMLHEAD/HEAD/HTML. I can't see the security problem you refer to. -- Regards, John Weaver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
