1

I have a simple config page in my root directory. It's similar wp-config.php which in wordpress system. It's name is config.php (or anything). There are some mysql logins or general page functions in my files(functions.php).

When user calls my index page, it loads config.php(or other function pages). But i want to keep them from external calls: i want to block or redirect user when they entered mydomain.com/config.php.

1. Is there any way to do this?

2. If is/isn't, does it matter for security? I don't know about security but it bothers me when i think.

Benjamin
  • 2,073
  • 4
  • 18
  • 16
  • 4
    Accessing mydomain.com/config.php it won't do anything. You can either prevent direct access to the page by checking, for example, if the call is within a framework or not, or by using .htaccess – Damien Pirsy Sep 03 '11 at 13:01
  • 1
    as Damien said. You can restrict the to framework by defining a variable to certain passphrase and set that variable in all files before include call to config.php. In config.php you can check if the variable is defined and has correct value. – Ashwini Dhekane Sep 03 '11 at 13:08

2 Answers2

1

As suggested in the comments - you can restrict access to those files using .htaccess or a simple check for a pre-defined variable. What would be the best thing to do though is to put those files in a path that is not readable from the httpd and include them from there.

Your webroot directory (where index.php is located) is most likely something like /var/www/your_site_dir/htdocs. Put them in the parent directory (/var/www/your_site_dir) and no other restriction would be required.

As for if it affects security ... well, that depends on how your code is written, but you should always restrict access to those, just in case. No system is 100% secure and none can be considered secure if there's even a conditional possibility of somebody having access to a resource that shouldn't be available to them.

Narf
  • 14,600
  • 3
  • 37
  • 66
1

First, do not put executable code in the files you are including. In this way, even if they are called directly, nothing will happen, because they define classes / functions but do not execute them.

Next, if you can't protect them the way @Narf suggests, you can begin all your files with:

<?php
  if (!defined('IN_APP')) {
    exit();
  }

And in you application add define('IN_APP', true)

In this way if your file is called directly, it will just exit.

Maxim Krizhanovsky
  • 26,265
  • 5
  • 59
  • 89