How to deny acess to folder with php files with sensitive information?

Question

I'm really new to PHP, but I had to rush a job in PHP recently and I did something which has the following structure:

public_html
|
|- html
|- css
|- js
|- root

Root is folder which contains all the PHP handling. In the JS files I post data to a PHP page which then does its stuff. It all works fine but I don't know how to restrict the user from accessing that "root" folder and the PHP files since it contains information that I don't want disclosed.

I also tried .htacess but it gives 500 internal server error.

Why you don't move `root` 1 level upper? So will be at the same level with `public_html`. I think this way the files will not be accessible (depends how you config your server) — Daniel Dudas, Jul 18 '16 at 16:23
Then he/she would need a way to make the scripts accessible to Javascript that post data to them — BeetleJuice, Jul 18 '16 at 16:24

BeetleJuice · Accepted Answer · 2016-07-19T01:15:48.410

This is what I did.

Move the PHP files out of the public folder except for one gateway file

scripts/
   prepend.php
   a.php
   b.php
public_html/
   gateway.php
   html files
   css files
   js files

I use .htaccess to redirect all requests for my PHP scripts to gateway.php. This file does the rest: to get a.php, the browser needs to request url /php/a. /php/b will be forwarded to b.php...

RewriteEngine On
RewriteBase /    
RewriteRule ^php/(.*)   gateway.php?file=$1.php   [END,QSA,NC]

END means to stop looking for more redirect rules. NC means case-insensitive match. QSA means to attach query parameters if any to the redirect destination.

In php.ini, I set auto_prepend_file to point to a file in the scripts folder. This file is run before all PHP scripts, so I can use it to do some configuration. In part, it has a list of allowed PHP scripts.

prepend.php

//the only scripts that will be allowed to run (besides gateway.php)
Const SAFE_SCRIPTS = '"/path/to/gateway.php","/path/to/a.php" ...';
Const SCRIPTS_PATH = __DIR__; //this file should be in the scripts directory

//block unnknown files. This will prevent a malicious file from running
$file = $_SERVER['SCRIPT_FILENAME'];//should be /path/to/gateway.php
if(strpos(SAFE_SCRIPTS,"\"$file\"")===false) {http_response_code(404);exit;}

gateway.php is in charge of making sure the requested PHP file is on the allowed list and of forwarding the request to the right file

//get the file requested. Comes from the htaccess rule
$file = SCRIPTS_PATH.'/'.$_GET['file'];

//if file is not in the allowed list, abort
if(strpos(SAFE_SCRIPTS,"\"$file\"")===false) {http_response_code(404);exit;}

//load the file that will handle the request
require SCRIPTS_PATH.'/'.$file;

My setup is slightly more complicated but you get the idea. Keeps my scripts outside of the public web folder.

score 0 · Answer 2 · answered Jul 18 '16 at 16:30

0

I'm not sure what you're trying to hide exactly but people can't access your PHP code directly through a web server as the code will always be run and only the returned data would be retrievable.

However you can use includes from files outside your web root and have the code that returns the required data inside your web root.

answered Jul 18 '16 at 16:30

Stephen Fox

87
1
10

So a malicious user can't access the php files inside the public folder? Can't they do something like www.website.com/root/config.php for example and open said page? – Forget Jul 18 '16 at 16:35
@Forget they can, but they will only see stuff outside of the php tags (``) or whatever you echo out to the user. As long as your config page is php code, it will just look like a blank page to them. – Jonathan Kuhn Jul 18 '16 at 16:38

How to deny acess to folder with php files with sensitive information?

2 Answers2

Linked