Gudeve,
Can you recommend me a directory in my web server where I should put sensitive files?
My htdocs is arranged like this:
XAMPP/htdocs/NewsFeed
The NewsFeed directory have index.php. The index.php file's function is to connect to a database. Now, should I put the database file inside htdocs? Will it be safe?
If you have a chance to keep it outside then I suggest you to keep outside. If it is protected, a vulnerability may be exploited even at a later time causing some intrusions. So please try to keep it "away"
I am guessing you are using a SQLite database. I do not think putting it in htdocs is a safe, unless you safeguard it (maybe with .htaccess / chmod) in such a way that the database cannot be accessed by others/world.
Database and database connection details (login, password etc.) should be kept outside htdocs directory.
For editing purposes only you can obfuscate the password, have a look at this post: Don’t let them see your MySQL password
Don't put a database file anywhere it can be web accessible. One should not be able to download your database over HTTP, and if it's web accessible, anyone will be able to do this.
This ought not be confused with connecting to your database. That's something your script will do.
Place the database in some server directory that is only accessible locally (to the webserver), by your script. ie. XAMPP/db
Related
Sorry about my english level.
I researched so much, and i found that can i use ".htaccess" to get redirection to subdomain folder and this is OK.
In Drupal i need to create a folder for each subdomain in "/sites/sub.example.com/" and copy "default.settings.php" from default folder "/sites/default/default.setting.php" and rename it to "settings.php", after that, enable "$databases" variable in the same file, when it's done, i need to add a wildcard and modify "hosts" file.
Well, i should "automate" all this, but i don't know if it's is more hard because it's important hold the server safety with writing permissions or try another way, someone could advise me.
Im working on OSX and Drupal 7.x (recent release)
Thank you very much.
For each site that you want to use separate database, create own sites/ directory with settings.php. For example, if you want to have one database for example.com, another one for sub1.example.com and third one for sub2.example.com, all using same code base, setup your files like this:
sites/example.com/settings.php
sites/sub1.example.com/settings.php
sites/sub2.example.com/settings.php
each settings.php using different database credentials.
Read more here - https://drupal.org/documentation/install/multi-site
Also, if you want to automate this and if there is supposed to be bigger number of sites to be managed, consider deploying aegir - http://www.aegirproject.org.
I hope I understood your question correctly.
(LAMP server configuration)
As a workaround for another problem, I need PHP to be able to access local files, but prevent these files from being served over http by Apache.
Normally, I would just use .htaccess to accomplish this, however due to institutional restrictions, I cannot. I also can't touch php.ini, although I can use php_ini_set within php.
As a creative solution, I thought that if php executes as its own linux user (not as apache) I could use normal chown's and chmod's to accomplish this.
Again, the goal is simply to have a directory of files that apache will not display, but php can access.
I'm open to any suggestions.
Put the files outside of your web accessible root (DocumentRoot), but keep them accessible via PHP.
Suggestion:
/sites
/sites/my.site.com
/sites/my.site.com/data // <-- data goes here
/sites/my.site.com/web // <-- web root is here
Here's a thought. Set the permissions on the files to be inaccessible to even the owner, then when PHP needs them, chmod() then, read them, then chmod() them back to inaccessible.
I am new to webhosting and building a very small PHP website as a part of my project. It will not be used for practical purposes for now, but still I want to make sure that it is not TOO insecure.
I have a few files which I don't want users to access by URL(some text and CSV files) but my PHP code should be able to use them. How can I achieve something like this?
If you don't want them accessed by the web server but just by PHP, the best thing is to just keep them outside the webroot.
You can block access using .htaccess, but that will prevent you from using pretty much any other web server than Apache, and it adds un-necessary overhead (and a possible vulnerability if the .htaccess is accidentally removed or configured wrong)
I am trying to upload two files to a webserver so my teacher can see it. I am using winsp since my filezila doesnt work. But for some reason it is telling me that i don't have access to that page. Can anyone tell me why is it doing that.Here is a picture of my screen.
I am just not understanding why it is telling me that i don't have to access it.
If I had to take a guess, that public_html folder is your public directory where you should put things that anybody can get to (like through a browser). You have your files outside of that directory, so your page can't access them.
edit:
It's an educated guess, as I have seen a fair amount of server configurations that name the public web folder as such (other common names are "www" and "httpdocs")
Problem definitly isn't in code. There is error while uploading files. Can you connect to FTP regulary? If you can. Look for Active or Passive file transfer to FTP. Also if you can upload files, files must be in public_html folder to be visible from browser.
Active or passive
First read Neal comment.
second, you should probably copy the files into the /public_html folder, instead of the / (root) folder.
I have a directory on my website specifically for javascript files, I want these javascript files to be hidden, so if I type the url to it it says Forbidden or disallows access, but my front-end website files can still access them to execute them when needed. Is there a way to do this through a FTP client?
Cheers,
Dan
You can't do this trough a ftp client. It is the task of your webserver to forbid access to certain files.
If you change permission, the webserver won't have access to them anymore, so this is not the way to go.
You must configure your webserver to restrict the access. If you're using Apache, you can use an .htaccess file. There's different ways of doing this, many depends on the way the webserver is configured.
The easiest is to put an .htaccess file in your Scripts folder which contain only this none line :
deny from all
However, like peeter said, there's a good chance this will break your site, since the browser must access theses files, so you can't restrict access.
Put a htaccess file in your scripts folder containing deny from all, but this will stop your pages from accessing the scripts also (though not if you pass them through the PHP engine first)
You're trying to hide JavaScript files that are executed on the clients side. If a client(browser) cannot access the files means non of your javascript code is executed.
If I understood your question correctly then you cannot achieve what you're trying to achieve.