3

Hello all please help the ignorant. Ive searched high and low to find a solution but it seems to have evaded me.

I have recently set up a php file containing a read all script in the public html folder on my host. The db_config and db_connect and any more sensitive files are happily hidden away so direct access is not possible.

I need to prevent or at least slow down the average Joe from being able to run my read all script in their browser, obviously with the time taken to collect such a database it has become somewhat valuable and would hate to let someone have it for free too easily.

The php needs to be accessible for an mobile application to execute so unfortunately has to stay in the public directory (unless you know otherwise?)

Can you please point me in the right direction?

Header redirects seem to be the only option available. Which i must admit confuse me on the scripting somewhat.

As much as Id love someone to just give me the script, wheres the fun in not learning it yourself :)

Thank you for taking the time to read and reply.

mynight
  • 35
  • 5

2 Answers2

0

I'll ignore CHMOD in this answer:

This isn't the best solution, but an easy-to-maintain method of protecting the file would be to block public access to it using HTACCESS (if you can). Using a flag like one of the other answers mentions is good too and is also a legitimate way to do this, but HTACCESS would disallow the script from even running in the first place.

<files myfile.php>
order allow,deny
deny from all
</files>

Edit: Just saw that you mentioned JSON so ignore the above in this case (I am not familiar with JSON, but I don't think it would work).

This solution isn't perfect either, but it could help a little: PHP check whether Incoming Request is JSON type

You can detect if the incoming request is from JSON and then ignore if it isn't.

Community
  • 1
  • 1
MKH
  • 56
  • 6
  • Intriguing. In which case would it be possible to deny all except from a Json request? – mynight Apr 06 '13 at 20:32
  • Ah, didn't realize JSON was involved. I do not think HTACCESS would work in this case. I have modified my answer slightly though. Check out the JSON tip. – MKH Apr 06 '13 at 20:48
  • Sorry I appear to have failed to mention the JSON in the original question, apologies. – mynight Apr 06 '13 at 20:50
-2

as I understand, Your app needs to use it, but not anyone on the web, right? You could do a few things.

First, your app could request the page with a query string like &verified=1 and unless that $_GET variable is passed, the script wouldn't work. Like 

if(isset($_GET['verified'])){ 
//show code
}
else
{
//not today average joe
}

You could also put it in a secret directory like "sjdvjhb_kdfjgvkedn"

Ben Thomson
  • 558
  • 3
  • 8
  • 25
  • Indeed you are correct. That makes perfect sense. So unless the app sends the verification the script wont execute. By creating a secret directory you mean within the app? – mynight Apr 06 '13 at 20:27
  • a secret directory on the server where all the code is located. The first solution is better though – Ben Thomson Apr 06 '13 at 20:45
  • Please note that **this answer and comment suggestions** are not secure for most use cases. Especially using `GET` argument which is very vulnerable, especially without SSL. You should either use session, some kind of token (eg. JWT) or any other reliable authentication method. The easiest one would probably be just placing the file above the `www` or `public_html` directory (directory that is publicly available, name depends on your config). – Lis Jun 01 '21 at 15:42