1

I am working on a system where the user is only allowed to visit most of the pages if he is logged in correctly. Instead of checking for a correct login on every single page, I am about to make a check on the index page, and including all other subpages from this, if the login passes.

To be sure no one is able to access any other site through their direct url, I will place all pages outside the public_html and include them from here using the path '../page.php'.

Is this a safe way to do things, or am I missing any other security flaws?

Jk1
  • 11,233
  • 9
  • 54
  • 64
user2806026
  • 787
  • 3
  • 10
  • 24

2 Answers2

3

Yep, that's is safe enough. Assuming that public_html is the root of your web server, users won't be able to access files outside of it directly.

Assuming your web server is compatible with htaccess directives, you can also make a folder such as public_html/private with an .htaccess file containing:

Deny from all

In case you don't want to pollute folders outside of public_html with web content stuff.

Fabrício Matté
  • 69,329
  • 26
  • 129
  • 166
0

Don't build the include paths directly from usr input or variables that a user can manipulate and you should be ok. You might be better off looking into a PHP framework depending on the size of your project.

Gavin
  • 2,123
  • 1
  • 15
  • 19