Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming .htaccess is not enough
.htaccess is not enough
  • El Forum
    Guest
  •  
#1
12-03-2010, 02:22 PM

[eluser]psolms[/eluser]
hi there. i have a site that has an .htaccess protecting the sensitive files (inside the admin directory) from direct access, but it can still be accessed by the index.php.

my file structure looks like this:

/application/controllers/
--public controller that i need public access to
--/admin/
----private controllers that need to be hidden
--.htaccess (preventing direct access)

when in my address bar i go to

http://mysite.com/path_to_CI/index.php/a...controller

i can still see everything.

is there any way to fix this quickly? ive been trying to use

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

in the private_controller, but its not working.

thanks for any help.
  • El Forum
    Guest
  •  
#2
12-03-2010, 03:49 PM

[eluser]Bart Mebane[/eluser]
Move your system folder and application folder outside of your public html folder, and edit $system_folder and $application_folder in index.php to reflect the new locations. That way none of your code will be accessible from a browser. The only thing that needs to be public is index.php.
  • El Forum
    Guest
  •  
#3
12-03-2010, 04:06 PM

[eluser]Twisted1919[/eluser]
HA ?
It's perfectly normal to access those files, if you cut the access how do you expect to use those controllers ?
Have you ever heard of the implementation of an auth system that can do basic things like knowing who's an admin and has access there and who's not an admin and kick him out ?
That's what you need.
  • El Forum
    Guest
  •  
#4
12-03-2010, 04:11 PM

[eluser]WanWizard[/eluser]
All CI requests go through index.php, no other file (except your site's assets) needs to be accessable directly.
So you can move all files (application and system) out of the docroot without problems.

That being said, there is no added security benefit imho.

In both cases the files themselfs are not directly accessable from the browser (unless you use a rewriterule that tests for file existence, which isn't a good idea), and in both cases your apache user shouldn't have write access in those directories.
  • El Forum
    Guest
  •  
#5
12-03-2010, 04:17 PM

[eluser]Bart Mebane[/eluser]
Quote:if you cut the access how do you expect to use those controllers ?
CodeIgniter can still access them. For example,
Code:
codeigniter/
    application/
    system/
public_html/
index.php
Code:
$system_folder = "../codeigniter/system";
$application_folder = "../codeigniter/application";
  • El Forum
    Guest
  •  
#6
12-03-2010, 04:40 PM

[eluser]psolms[/eluser]
thanks for all the help. i think moving the files will work perfectly.
  • El Forum
    Guest
  •  
#7
12-03-2010, 09:58 PM

[eluser]SitesByJoe[/eluser]
Even if you move the files, the url will still call the files the same way.

http://mysite.com/path_to_CI/index.php/a...controller

- is still running through index.php and gaining access. You'll still want some sort of authentication in place to handle that occurrence.




Theme © iAndrew 2016 - Forum software by © MyBB