0

I have made a subdomain for my web-site which I will use to store all the important scripts, both php and javascript. I want to protect evertyhing there so that it cannot be accessed from a web-browse.

I have tried .htpasswd. But when the page be called to do the function, there are password require every times.

You can say that the folder can be protected, but it makes the script not work because access requires a password.

Are there better alternatives?

Gayot Fow
  • 8,710
  • 1
  • 35
  • 48
Alex
  • 35
  • 6
  • 5
    How do you want to _execute_ javascript code, when you can't access it?! And for PHP-scripts: Don't put them in a public accessible folder, if you don't want them to be public accessible. – KingCrunch Dec 31 '11 at 14:23

3 Answers3

2

Put the PHP files outside of the web-root, and have the server access/include/require them via the file-path. My own private scripts reside in the 'private' folder, which is in the same directory as the /var/www/ directory, and are accessed via: include '../private/script.php'

This won't work for JavaScript, though (except for possibly server0side JavaSCript) as it needs to be accessed by the user/client before it can be used. If it can't be accessed it can't be used, which makes it somewhat pointless. To ensure security for JS don't put anything private into the JavaScript, it's the only way; and then sanitise any input taken from that JavaScript.

David Thomas
  • 249,100
  • 51
  • 377
  • 410
  • Thanks. you mean if I use this methode, it´s ok with php ? – Alex Dec 31 '11 at 14:50
  • I have tried by spefify ../provate/script.php but it did not work.. I also tried /home/user/private/script, did not work eaither – Alex Dec 31 '11 at 15:14
  • Then you need to talk to your web-host about where to put your files to keep them outside of the web-root, and how to access them when they're there. – David Thomas Dec 31 '11 at 15:16
  • I will contact them now, and will give the answer as soon as i get it work :) thanks.. – Alex Dec 31 '11 at 15:19
0

You can always use .htaccess's deny from all.

See this article on .htaccess to learn more

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
  • But the problem is the php script stop working, because of this kind of protection. The folder is protected but the script not work.:S – Alex Dec 31 '11 at 15:52
0

I like to use an inclusive IP address range for restricted access. The question is unclear, so I'm not sure if that's what you mean, but this is an example:

RewriteEngine on
RewriteCond %{REMOTE_HOST} !^XXX\.XXX\.XXX\.XXX
RewriteRule ^(.*) / [R=302,L]

Add that to a .htaccess file in the folder you'd like to protect, replace XXX.XXX.XXX.XXX with your IP address, and anyone but you will be redirected.

You'd probably want a password as well for very restricted areas.

Edit:

In place of a long comment.

Client-side scripts shouldn't have any greater access when making 'AJAX' requests than any standard request made to a publically accessible file. It's not easy to help without more info on 'why' you want to. Storing your PHP stuff outside of the document root is probably the way to go, but that stuff would then only be accessible from the server-side (e.g. PHP).

You could make an XMLHttpRequest to an accessible page, which could in turn access files stored in a non-public location. e.g., either with an absolute path /var/private/, adapted to suit, or by traversing the directory structure with e.g. ../private, meaning one directory higher where your root may be /var/www.

stackuser10210
  • 352
  • 1
  • 5
  • 11
  • ^ That's also a handy trick to use for live edits or overhauls to websites (turn on a rewrite condition for _everyone but_, while you make changes). – stackuser10210 Dec 31 '11 at 14:40
  • Hi, thanks for answer but I think you misunderstood. Let me explain more. I make an ajax script which will call the php page to do something. I put the php file to a folder. And I want it to be protected. But when I use .htpasswd. The folder is protected, but it makes the php script stop to work. because everytime ajax calls ths php file...it needs password. – Alex Dec 31 '11 at 14:40
  • I don´t use my pc to be server. Why you suggested me to put the ip address ? Or you can say, I want to protect this folder without destroying the function in php file. – Alex Dec 31 '11 at 14:46
  • I want to put the php out side because I fear people steal it...and that is...I this your solution is the same with David Thomas. I´m trying to contact the owner of my web-server about how to connect it..:) – Alex Dec 31 '11 at 15:23
  • I saw the other answer before I made the edit, but I'd have said the same using the same dummy paths : ). I'll leave you to it, I think. Good luck and happy NY. – stackuser10210 Dec 31 '11 at 15:28
  • I´m contcting the owner of web-server to get the info about my path, Thanks, I will try. – Alex Dec 31 '11 at 15:31
  • So sad, They told me that I can not do this. They said if i put this file out side, it could not be accessed. hmmm maybe I have to give up :S – Alex Jan 01 '12 at 02:40