-1

I have a private folder in my MVC directory structure where I want to deny all access to. The only way this folder (and containing files) should be accessible is through includes only.

For the public folder, anyone should be able to access that as that is my View.

The root index.php is my entry file, and that should be able to include and execute the private index.php script.

Anybody that can help me out or point me to the right direction with achieving this?

private
    model
    controller
    core
    config.ini.php
    index.php
    ...
public
    stylesheets
    signup.php
    login.php
    index.php
    ...
index.php
tereško
  • 58,060
  • 25
  • 98
  • 150
Kid Diamond
  • 2,232
  • 8
  • 37
  • 79
  • 1
    Move `index.php` into `public` folder as it is your entry file (front-controller). Configure your webservers' webroot to `public` folder. Done (and you should have done that in the first place). What's your question? – hakre Apr 27 '14 at 08:53
  • Also you write .htaccess. What have you done so far? Apart from the suggestion in my first comment, you can configure your webserver to deny access to certain resources (or better allow only access to the ones you want to allow access to. that way it's not so easy to make mistakes) – hakre Apr 27 '14 at 08:55
  • Because I have no access to direct server settings, so I figured htaccess would be my best bet. – Kid Diamond Apr 27 '14 at 08:57
  • Can you specify webroot with your hosting settings for that domain? If yes, go with first comment. If not, still go with first comment, then see here (and similars): http://stackoverflow.com/q/7945795/367456 - http://stackoverflow.com/q/4970903/367456 - ... – hakre Apr 27 '14 at 08:58
  • Thank you. I got it to work. Also, would it be secure if I had a config.ini file with sensitive information outside my webroot? There is no chance of anybody finding out? – Kid Diamond Apr 27 '14 at 09:39
  • 1
    Well, let's say, it's a good practice to not have configuration files inside the webroot so they aren't hosted. Sounds like a pre-condition rather than a post-condition. Also ensure your application is safe against directory traversal attacks - read here for more info: https://www.owasp.org/index.php/Path_Traversal – hakre Apr 27 '14 at 09:42

3 Answers3

1

Add this .htaccess for all of your folder where you don't want direct access.

<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
Dávid Szabó
  • 2,235
  • 2
  • 14
  • 26
1

If you're using Apache the typical solution is to put a .htaccess file in ./private containing:

Deny from all

I also concur with hakre that it would make more sense for your webroot the public directory.

An alternative solution is to make webroot public, then move private outside of the webroot directory.

ie.

site/private/...etc...
site/www/index.php
site/www/stylesheets/...etc...

Where www is your webroot.

thexacre
  • 702
  • 4
  • 9
1

Two ways to do it:

1: Proper way

/homedir/ - where your website is

/homedir/private/ - where your private files are

/homedir/httpdocs/ - public part of the website

2: Another way

/httpdocs/private/ - private files

/httpdocs/private/.htaccess - Order allow,deny Deny from all

/httpdocs/ - the rest of the files

However, you should know that should your webserver hang up, or change some particular settings - your .htaccess file might become inactive.

Which means that all your private files will become available via browser.

That's why first way is prefered over .htaccess restrictions.

What else is possible? Code level restriction:

  1. In every public php script define a constant:

    define("MY_SECRET_CONSTANT", 1);

  2. In every private php script check if constant is defined on the first line of the code:

    if(!defined("MY_SECRET_CONSTANT")) { die("Cannot open the file directly."}

Anatoliy Kim
  • 768
  • 4
  • 13