Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.
Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?
We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.
If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.
Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to
www.somewebsitecom/nonrootdirectory/step2.php.
This approach seems to work, but can a clever web-crawler or
programmer get past it?
Thoughts?
Phil
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.
Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?
We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.
If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.
Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to
www.somewebsitecom/nonrootdirectory/step2.php.
This approach seems to work, but can a clever web-crawler or
programmer get past it?
Thoughts?
Phil
>>Newsgroups: comp.lang.php
>>From: "Garry Jones" <garry.jo...@mo rack.se>
>>Date: Wed, 26 Apr 2006 23:53:13 +0200
>>Local: Wed, Apr 26 2006 3:53 pm
>>Subject: Prevent loading of php pages
>>From: "Garry Jones" <garry.jo...@mo rack.se>
>>Date: Wed, 26 Apr 2006 23:53:13 +0200
>>Local: Wed, Apr 26 2006 3:53 pm
>>Subject: Prevent loading of php pages
>>I have a website consisting of php segments.
>>Example
>>page1.html calls in code from seg1.php and seg2.php
>>If the user goes directly to www.mydomain.com/seg1.php they see everything
>>visible to a browser on that page. Can I prevent users from loading individual
>>php segments.
>>visible to a browser on that page. Can I prevent users from loading individual
>>php segments.
>>The only time that seg1.php should be visible is in its original context on
>>page1.html
>>page1.html
>>Garry Jones
>>Sweden
>>Sweden
>Jerry Stuckle wrote:
>The document root id the root directory of your website. But it is not the root
>directory of your machine. For instance, your document root might be
>"/var/www/website1/html".
>directory of your machine. For instance, your document root might be
>"/var/www/website1/html".
>When you upload them, put them in a directory below the root of your website,
>i.e. "/var/www/website1/myfiles". You can then include this page in your
>other PHP pages with something like (assuming Apache):
>i.e. "/var/www/website1/myfiles". You can then include this page in your
>other PHP pages with something like (assuming Apache):
include($_SERVE R['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>Anyone accessing a page through http protocol can only access those files in
>your web root. But PHP accesses the file system directly, so it can access any
>file on the system (assuming the appropriate permissions are set).
>your web root. But PHP accesses the file system directly, so it can access any
>file on the system (assuming the appropriate permissions are set).
>============== ====
>Remove the "x" from my email address
>Jerry Stuckle
>JDS Computer Training Corp.
>jstuck...@attg lobal.net
>============== ====
>Remove the "x" from my email address
>Jerry Stuckle
>JDS Computer Training Corp.
>jstuck...@attg lobal.net
>============== ====
Comment