Deny access to private folder in MVC directory structure

StackOverflow https://stackoverflow.com/questions/23321307

Question

I have a private folder in my MVC directory structure where I want to deny all access to. The only way this folder (and containing files) should be accessible is through includes only.

For the public folder, anyone should be able to access that as that is my View.

The root index.php is my entry file, and that should be able to include and execute the private index.php script.

Anybody that can help me out or point me to the right direction with achieving this?

private
    model
    controller
    core
    config.ini.php
    index.php
    ...
public
    stylesheets
    signup.php
    login.php
    index.php
    ...
index.php
Was it helpful?

Solution

Two ways to do it:

1: Proper way

/homedir/ - where your website is

/homedir/private/ - where your private files are

/homedir/httpdocs/ - public part of the website

2: Another way

/httpdocs/private/ - private files

/httpdocs/private/.htaccess - Order allow,deny Deny from all

/httpdocs/ - the rest of the files

However, you should know that should your webserver hang up, or change some particular settings - your .htaccess file might become inactive.

Which means that all your private files will become available via browser.

That's why first way is prefered over .htaccess restrictions.

What else is possible? Code level restriction:

  1. In every public php script define a constant:

    define("MY_SECRET_CONSTANT", 1);

  2. In every private php script check if constant is defined on the first line of the code:

    if(!defined("MY_SECRET_CONSTANT")) { die("Cannot open the file directly."}

OTHER TIPS

Add this .htaccess for all of your folder where you don't want direct access.

<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

If you're using Apache the typical solution is to put a .htaccess file in ./private containing:

Deny from all

I also concur with hakre that it would make more sense for your webroot the public directory.

An alternative solution is to make webroot public, then move private outside of the webroot directory.

ie.

site/private/...etc...
site/www/index.php
site/www/stylesheets/...etc...

Where www is your webroot.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top