1

Well, as a start please excuse me for my beginner English..

I want to know more about security in PHP MVC applications

I've created my own MVC, I still haven't finished it.
My application directory is exposed by URL access with child elements.

How to make this hidden from visitors?

Following is what I am trying

Apache mod_rewrite ?

I still don't know to make it empty index.html in each folder like the framework Codeigniter ?

What to use for something to indicate ? and, ... how to make ?

Edit I know a litte something about rewrite_rules

Below is my .htaccess

    Options -MultiViews
    RewriteEngine On
    RewriteBase /ligia

    #RewriteCond %{REQUEST_FILENAME} -f [OR]
    #RewriteCond %{REQUEST_FILENAME} -l [OR]
    #RewriteCond %{REQUEST_FILENAME} -d
    #RewriteRule .+ -
    #I know, it is commented

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteRule "^(.+)$"    "index.php?uri=$1"   [QSA,L]

But I am afraid if this is the best way to hold my MVC application security!?

I need help!

Marcelo
  • 1,486
  • 13
  • 16
  • 1
    If they are a visitor then they wont be logged in. Test this value before showing the option on the web page i.e. if( user_logged_in ) { show links } –  Sep 01 '17 at 10:12
  • 1
    place all the framework code outside the webroot. eg with a typical cpanel apache server, place it outside public_html. Only have your entry point (index.php) and any static assets (css, js, imgages) in the webroot – Steve Sep 01 '17 at 10:12
  • 1
    Please learn the basics of the technologies and read appropriate books and tutorials before you ask questions on SO. – Maciej Jureczko Sep 01 '17 at 10:14

1 Answers1

1

First make sure that your .htaccess file is in your document root (the same place as index.php) or it'll only affect the sub-folder it's in (and any sub-folders within that - recursively).

Next make a slight change to your rule so it looks something like:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?path=$1 [NC,L,QSA]

At the moment you're just matching on . which is one instance of any character, you need at least .* to match any number of instances of any character.

If you want the whole shebang installed in a sub-directory, such as /mvc/ or /framework/ the least complicated way to do it is to change the rewrite rule slightly to take that into account.

RewriteRule ^(.*)$ /mvc/index.php?path=$1 [NC,L,QSA]

And ensure that your index.php is in that folder whilst the .htaccess file is in the document root.

NC = No Case (not case sensitive, not really necessary since there are no characters in the pattern)

L = Last (it'll stop rewriting at after this Rewrite so make sure it's the last thing in your list of rewrites)

QSA = Query String Apend, just in case you've got something like ?like=penguins on the end which you want to keep and pass to index.php.

krishnaraj
  • 41
  • 6
  • see the edit, thanks for share this, I'd want to know if my applications stay secure just with my knowledges – Marcelo Sep 01 '17 at 10:30
  • @MarceloRafael Security cannot be applied to an application like some veneer. Each kind of a security problem is dealt with in some other way – krishnaraj Sep 01 '17 at 10:38
  • Allright, in this case, to keep my folders protected, this apache works fine ?! I speak about direct access in URL – Marcelo Sep 01 '17 at 10:48
  • Sorry for confusion, I do not explained correctly about my problem. But you gave me a light, thanks to you all – Marcelo Sep 01 '17 at 11:00