I'm creating a very simple login system where my php code stores and reads file names(account name) and content(password) but anyone could simply just navigate to that folder and read whatever. so what i want is that a folder gets "locked" from any connections, and still read / write to it with php. i use xampp to host, if it has any relevance
is this possible? if not, are there other simple ways of storing / reading account password and name?
found my solution, by putting
order deny,allow
deny from all
inside .htaccess in the folder i want private
Related
In some CMS backup system i see they use the following .htaccess code in the backup folder:
order deny,allow
deny from all
allow from none
I was wondering if this is fail safe or if it is possible to annoy the server so badly that the .htaccess file is being ignored.
The reason I ask this is because if that is possible I would rather put the files outside the httpdocs folder so they are not accessible by a browser. That though requires me to use quite some extra's to show or use those files if i want to.
Anyone have an idea or tips?
I know it's a bit of a beginner question but tried several combinations and none work... here's what i need to achieve using .htaccess and .htpasswd
I have a www.mysite.com/protected folder.
By default, all ip's shouldn't see this folder and any other files inside it exists (basically they should be redirected to www.mysite.com)
A certain IP (my external IP M.M.M.M) should be able to access that protected folder and be requested a username and password
All ip's should be able to see some files inside the folder without being asked for password (www.mysite.com/protected/file1 and www.mysite.com/protected/file2)
I know the latter rule opens an exception on the first but that's how i need it (a general rule denying all and then whitelisting some files)
Thanks in advance for any help, been struggling with this for a bit now :(
I have a directory on my website specifically for javascript files, I want these javascript files to be hidden, so if I type the url to it it says Forbidden or disallows access, but my front-end website files can still access them to execute them when needed. Is there a way to do this through a FTP client?
Cheers,
Dan
You can't do this trough a ftp client. It is the task of your webserver to forbid access to certain files.
If you change permission, the webserver won't have access to them anymore, so this is not the way to go.
You must configure your webserver to restrict the access. If you're using Apache, you can use an .htaccess file. There's different ways of doing this, many depends on the way the webserver is configured.
The easiest is to put an .htaccess file in your Scripts folder which contain only this none line :
deny from all
However, like peeter said, there's a good chance this will break your site, since the browser must access theses files, so you can't restrict access.
Put a htaccess file in your scripts folder containing deny from all, but this will stop your pages from accessing the scripts also (though not if you pass them through the PHP engine first)
You're trying to hide JavaScript files that are executed on the clients side. If a client(browser) cannot access the files means non of your javascript code is executed.
If I understood your question correctly then you cannot achieve what you're trying to achieve.
If I allow user to upload file, after user uploaded the file, the file will go to
wwww.someplace.com/public_file/... ....
So, everybody can get access the file. But I would like to make some restrictions on that. For example, I want to reduce the downloading speed for non-login users. How can I do that? Also, if I want to limit the user to get the files if he/she don't have a user right... ... For example, if some user upload to
wwww.someplace.com/secret_place/... ...
Only the user have some rights, can get access to this place... ...How can I do that? Should I do this in the web application and the Apache Server config too? Thank you.
For users you can split this between Apache and your application as I know most servers support using a database for authentication; Apache certainly supports many methods of authentication, you should find some useful info here:
http://httpd.apache.org/docs/current/howto/auth.html
One thing to note is that if you were to do this exclusively in the application then it would be easily by-passable. You can restrict the download speeds for non-logged in users using traffic shaping.
let’s consider that we want to deny access to all files with the extension .inc. In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
Similar to this we can deny access to whatever files we might need…
Gudeve,
Can you recommend me a directory in my web server where I should put sensitive files?
My htdocs is arranged like this:
XAMPP/htdocs/NewsFeed
The NewsFeed directory have index.php. The index.php file's function is to connect to a database. Now, should I put the database file inside htdocs? Will it be safe?
If you have a chance to keep it outside then I suggest you to keep outside. If it is protected, a vulnerability may be exploited even at a later time causing some intrusions. So please try to keep it "away"
I am guessing you are using a SQLite database. I do not think putting it in htdocs is a safe, unless you safeguard it (maybe with .htaccess / chmod) in such a way that the database cannot be accessed by others/world.
Database and database connection details (login, password etc.) should be kept outside htdocs directory.
For editing purposes only you can obfuscate the password, have a look at this post: Don’t let them see your MySQL password
Don't put a database file anywhere it can be web accessible. One should not be able to download your database over HTTP, and if it's web accessible, anyone will be able to do this.
This ought not be confused with connecting to your database. That's something your script will do.
Place the database in some server directory that is only accessible locally (to the webserver), by your script. ie. XAMPP/db