Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming see view directory pages!
see view directory pages!
  • El Forum
    Guest
  •  
#1
12-09-2009, 01:14 PM

[eluser]WebbHelp[/eluser]
Hi!

I just saw that I could go to a adress like this: http://www.site.com/system/application/views/file.php

And it was opened in the webbrowser. If this would be an admin page this is a security hole.
I mean: in the controller admin files, I did in the constructor, if a session: $_SESSION['admin'] exists, if is not, then redirect to another page. But Do I need to do it in my controller AND in the view files?
It feels... strange... If I need to check if the visitor is an admin or not in both, controllers and the view page.

Thanks //WebbHelp
  • El Forum
    Guest
  •  
#2
12-09-2009, 04:15 PM

[eluser]frist44[/eluser]
could you incorporate an .htaccess file in the views directory to control access?
  • El Forum
    Guest
  •  
#3
12-09-2009, 04:29 PM

[eluser]WebbHelp[/eluser]
Yes, I Can.

I actially thought they had déby user from visit view files
Because the user should only see index.pvp

Bit how with .htaccess?

Thanks //WebbHelp
  • El Forum
    Guest
  •  
#4
12-09-2009, 04:42 PM

[eluser]frist44[/eluser]
http://httpd.apache.org/docs/1.3/howto/htaccess.html
  • El Forum
    Guest
  •  
#5
12-09-2009, 04:53 PM

[eluser]CtheB[/eluser]
Hi,

The easiest way is to enter this line IN THE BEGIN of your view file:
(this line should be entered at the beginning of ALL of your files)

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); ?>
  • El Forum
    Guest
  •  
#6
12-09-2009, 05:00 PM

[eluser]WebbHelp[/eluser]
Frist: thanks, I sill check that out Smile

But what does that line do?
Thanks Smile
  • El Forum
    Guest
  •  
#7
12-09-2009, 05:06 PM

[eluser]CtheB[/eluser]
That line makes sure the files are only accesed by the application and not directly in the browser.
  • El Forum
    Guest
  •  
#8
12-09-2009, 05:38 PM

[eluser]cahva[/eluser]
[quote author="CtheB" date="1260420835"]Hi,

The easiest way is to enter this line IN THE BEGIN of your view file:
(this line should be entered at the beginning of ALL of your files)

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); ?>[/quote]

I dont agree sorry Smile If he has for example 20+ view files inside views directory, it would be easier to create one .htaccess file to that directory with content:
Code:
deny from all

But ofcourse the best way would be to move application and system directory outside of webroot as suggested in user manual.
  • El Forum
    Guest
  •  
#9
12-09-2009, 05:41 PM

[eluser]CtheB[/eluser]
hehe ofcourse the best way is to move the application and system outside webroot, and ofcourse the first best solution is
to use .htacces, but if you try to help a newcomming guy with a lot of beginners questions, you want to give hime the easiest anwsers wich works for him,
thats why i came with the easiest solution after all.
  • El Forum
    Guest
  •  
#10
12-10-2009, 01:46 AM

[eluser]WebbHelp[/eluser]
Thank you all, for the replys Smile

I wants to learn the best way, but also the easiest way, it is good to know them both.
How doy you mean, if I put the codeigniter system/application out of the root, How can I reach them as a user then?

I also saw a tutorial; He put the application folder outside the system folder, shouldn't that be a problem with the path's to the class?

So how, should I do with it Tongue

Thanks //WebbHelp =)




Theme © iAndrew 2016 - Forum software by © MyBB