Prevent direct access to views |
[eluser]reikje[/eluser]
I am having some issues securing my first codeigniter site. Even though I am using rewriting in a .htaccess file to get rid of the index.php segment in URL's, I can still access my php files in the views folder. Here is my setup: /etc/apache2/sites-available/the_site Code: <VirtualHost *:80> .htaccess file in /var/www/igniter Code: <IfModule mod_rewrite.c> routes.php Code: $route['default_controller'] = "page"; part of my config.php Code: $config['base_url'] = "/"; Why can I still call directly to http://www.domain.de/system/application/...e_view.php ?
[eluser]Christophe28[/eluser]
I use nGinx so I'm not familiar with Apache, but if you want users to not be able to access views, controllers, models, or whatever there is in your public folder, just move it out of the public folder except the index.php So the server path to your system folder will be something like this: System: /var/www/site.com/system/ Public: /var/www/site.com/public/ Then in your index.php you have to change the path to your system and application folder like this: Code: $system_folder = "../system"; My application folder is not in my system folder, otherwise it will be something like this: Code: $system_folder = "../system"; Best, Christophe
[eluser]Bart Mebane[/eluser]
If your host allows it, the simplest and most secure approach is to move your system folder above the document root (public html) folder. This Wiki article gives step-by-step instructions.
[eluser]reikje[/eluser]
So if I understand you correctly, this is the only way to prevent direct access?
[eluser]Christophe28[/eluser]
I don't know actually, I only used the method described above and would strongly recommend it.
[eluser]Bart Mebane[/eluser]
Another option is the approach used in the CI system files. Include this line at the top of every source file: Code: if ( ! defined('BASEPATH')) exit('No direct script access allowed');
[eluser]danmontgomery[/eluser]
Significantly easier to just move system and application above webroot
[eluser]cereal[/eluser]
Put this .htaccess file in system » application » views: Code: <Files ~ "\.(htaccess|php)$"> it's recursive, this way nobody can access directly to the views |
Welcome Guest, Not a member yet? Register Sign In |