File Security

[natimage]

I've read a couple of things about editing the htaccess file so that your folders can't be browsed. Can someone expand a little more on this? For instance...

 

...how does someone access my folders (I'm not too bright at these things)?

 

...will I still be able to view my files and folders via FTP?

 

Sorry about the silly questions. Gotta learn sometime!

 

Thanks,

Tracy

[KevinW]

Silly question? No, not at all.

 

Background: we are all use to simply entering a web address like this: www.kwsupport.com into a browser, and expect to have a web page displayed. The truth is that www.kwsupport.com is simply pointing to a location onsomeone's computer (TCH's in this case).

 

What really happens is that once the request for "www.kwsupport.com" arrives to TCH, the server takes a look at the request and says: "Hey, they didn't ask for a specific web page. Let me go see if I can find one of the default web home page names."

 

What are the default web home page names? Glad you ask! Things like index.htm, or index.html, or default.htm, or a few others. In this case, the TCH server does find an index.htm and sends it back to you.

 

So, for all intent and purposes: www.kwsupport.com is actually translated and becomes www.kwsupport.com/index.htm

 

So far, so good?

 

OK. Then what happens if a request for a URL (web address) arrives and the server cannot find one of the default web home pages? Well, generally it will display a list of the files that do exist.

 

As an example try pointing your browser to the following URL (or just click on it):

http://www.kwsupport.com/testpagesframes/

 

The result should be a list of files in the directory "testpagesframes" on my web site. If you look at the list of files, one of them is named old-index.htm. That's because I renamed index.htm to old-index.htm to show you what happens.

 

Bottom line: you may have directories full of information on your web site that do not contain actual web apges, but rather files, or images, or documents. And unless you somehow secure or protect or hide them, someone could easily "find", and then access, those files.

 

Oh, BTW, try to enter or click on the following full URL:

http://www.kwsupport.com/testpagesframes/old-index.htm

 

Instead of seeing a list of files, you should now see the web page (old-index.htm) that is stored in that directory.

 

Hope this helps.

-kw

[natimage]

Thank you for that explanation. I did in fact pull up my images folder and it listed all of my images! Now...for the question that I forgot to ask in the initial post.

 

Where do I find the htaccess file so that I can change it and disable access to my directories? And...once I do, will I notice any changes in my ftp access/options?

 

Thanks so much,

Tracy

[Lianna]

If one does not exist in the directory that you wish, then simply create a txt based file called .htaccess and place it in the directory.

 

As to what to put in your .htaccess file, you can search here and on the helpsite and on google. There are a ton of resources available for helping with .htaccess.

 

Your FTP access/options MAY be affected, but it really depends how you set up the .htacess file.

[surefire]

Two things to add... real basic:

 

Make sure that each folder has an index.htm file... even if it's just blank.

 

Second, certain folders are best kept outside of the public html files... closer to the root of the site. For example, if you access a database and keep a list of your login info in a file, put the folder with the file outside the public root of your site so it's not accessible by the web. Then I'd also password protect the folder with cpanel (.htaccess)

 

Okay... three things: Also, not all FTP programs show .htaccess files at all or maybe they only show the files if you tell the software to show you. So you might already have an .htaccess file... but not know it.

[SEO]

Okay... three things: Also, not all FTP programs show .htaccess files at all or maybe they only show the files if you tell the software to show you. So you might already have an .htaccess file... but not know it.

 

True. I use several FTP programs and none of them show my .htaccess file (on TCH servers). If you use the file manager in the control panel, you will see that your .htaccess file is there in your public_html folder.

 

Funny thing about File Manager that took me awhile to get used to: Click on folder to open it, click on a name to manipulate it.

[TCH-JimE]

Tracey,

 

What you could do is password protect the folders in question.

 

You only need one htaccess file.

 

Jim

[natimage]

Thanks for all the help...

 

I did in fact find my existing .htaccess file in the public_html folder and I did alter it. I added the "options -indexes" line at the top and that kept my pages from listing as a directory.

 

I will add an index.htm to each folder and I would like to password protect one folder.

 

if you access a database and keep a list of your login info in a file, put the folder with the file outside the public root of your site so it's not accessible by the web. Then I'd also password protect the folder with cpanel (.htaccess)

 

I'm going to need more help on this one, though. Could my login info be in a file and me not know about it? I know that I did not create a file for this, but don't know if one could have been created automatically by any program I've used.

 

And if I put such a file outside the public root, does that mean I would put it one directory up from the public_html directory?

 

Last question...I have no idea how to password protect a folder, but if I figure that out and do it, will I have to provide a seperate password when I ftp to the respective folder?

 

Sorry for such basic, silly questions. Gotta learn sometime, though!

 

Thanks again for all the help!

Tracy

[TCH-JimE]

Hi,

 

To password a folder:

 

Find site management in cpanel

 

Click on Web Protect

 

Navigate to the folder (click on folder)

 

Once found, click on folder name

 

Tick the box and give it a unique name

 

And add a user down the bottom

 

Thats it!

 

FTP will not be affected if you do it this way

 

Jim

[natimage]

Thank you. That will be on my list of "Many Things To Do"!

 

You guys are SOOOO much help to a beginner like myself!!

I don't know what I'd do without ya'...shedding a tear...

 

Tracy

[TCH-JimE]

Awww dont cry!

 

Jim

[surefire]

Okay... that tangent I went off on regarding MySQL passwords in a separate folder...

 

It's true but disregard it.

 

1- If you aren't connecting to a MySQL database then it doesn't matter to you

2- Your login information is not put in any folder that you need to protect.

 

Here's what I was saying...

If I write a PHP code to connect to a database, I need to have the password and login info in my code somewhere. Put rather than putting the info in my public folders, I'd be smarter to put the info in an array, inside of a password protected folder outside the public root. Then I include those files and variables at run time rather than keeping them in my code.

 

I bet that makes tons of sense... right?

 

Just techno gibbersih... don't worry about it.

[natimage]

Actually, it does make a little bit of sense, but you did lose me once or twice.

 

I do have a MySQL database, although it is only in the beginning stages right now. I work in Dreamweaver and I do have a file called connDBA.php (or something to that effect). I did not remember this file this morning.

 

That file does have my connect info in it. So, I assume this is the type of file you are talking about.

 

I include those files and variables at run time rather than keeping them in my code.

 

The above quote is where I get lost. I'm sure it's very simple, but can you tell me more about how this would work?

 

Tracy

[surefire]

Okay...

 

 

Although it's touch to read variables set in php code... I still want the keys to my database outside of the public html folders.

 

So I create a file called... I dunno... keys.php (little obvious but just an example)

 

<?php

$db = "mydatabase";

$tb = "mytable";

$us = "username";

$ps = "password";

?>

These are variables I made up. You'll need to modify those to your actual login info. Oh, by the way, this assumes you already set up a table or two in your database. Use PHPmyAdmin in CPanel... very easy.

 

So, FTP to your site, create a folder in your root so it sits on the same level as your publi_html folder. FTP keys.php to this folder.

 

Now you need a page that connects to the database and does some stuff. Otherwise... what's the point.

 

So let's say it's list_of_something.php

 

<?php

include("/home/usrnm/folder/keys.php");

 

//put php db connection code here

$dbh=mysql_connect ("localhost", $db, $ps)or die ('I cannot connect to the database because: ' . mysql_error());

mysql_select_db ($tb);

//rest of your code here

?>

 

replace usrnm with your username

replace folder with the folder you created in your root dir

 

The include() function brings in the keys at run time.

 

Then I would go to cpanel and password protect your folder with the keys.php in it.

 

Hope this helps.

Edited May 21, 2003 by surefire

[TCH-JimE]

See my help on some simple includes here

 

Jim

Edited May 21, 2003 by Jimuni

[surefire]

By the way... Dreamweaver... in my opinion, doesn't write very clean (or good) php code.

 

It will help you connect to a database, but the rest I would code by hand.

 

It's a pain the first time around... but by using variables in your code, you just cut and paste.

 

Ctrl+c

Ctrl+v

 

My two favorite shortcuts.

 

PHP is best coded by hand.

[TCH-JimE]

Hi,

 

Agreed, use dreamweaver once to see how its done, and then scrap it and right your own connection to the database. Also find a good PHP book, there are hundreds out there and they can be readlly handy!

 

Jim

[natimage]

Yes, that does help.

 

Also, I may have asked this before, but I missed out on the answer somehow...I'm using Dreamweaver to create templates for my sites. Would using includes for headers/footers as you've both explained in other threads still be useful? I can definately see how the "keys" include will be helpful, but still a little confused about using the header/footer includes versus building an html/php template using the editor.

 

Thanks to you both for all the help on the php stuff. I'm sure once I understand it all, it will seem simple. Right now, though, it's creeping into my normally peaceful dreams and creating havoc!!!

 

Tracy

[surefire]

My understanding:

 

Let's look at two options on a website with 100 pages. I want to update the layout of my site.

 

Dreamweaver templates option

 

Update the template file

Hit 'Update' on Dreamweaver

FTP every single file to the server

 

End result... static html.

 

Dreamweaver templates is basically a search and replace feature for software that sits on your personal computer's hard drive. (my understanding of it)

 

PHP Includes

 

Update header.php and foorter.php

FTP those two files to my server

Done.

 

And....

 

You can do neat stuff like print out title tags automaticallly or show a date... or randomly choose different logos.

 

Basically... dynamic website.

 

Final analysis...

 

Dreamweaver does neat stuff on your computer but you still have to ftp the stuff to the server. It makes the job of 'search and replace' faster and easier.

 

PHP includes makes the substitution when the page is 'served' to your visitor.

 

Dreamweaver sits on your computer, PHP tells server to do stuff.

 

The latter gives you more options.

 

PHP includes is superior, IMHO, but whatever works best for you is best for you.

[surefire]

And I second Jim's comment about getting a PHP book.

 

I'd love to say that you can learn all you need to know about PHP from free internet tutorials... but it's not completely true.

 

Having a book on hand saves time and is well worth the $45.

[TCH-JimE]

Hi,

 

Just to add to jacks post (seem to be having a good reptore with him today)

 

I) Dreamweaver templates stink.

 

II) Also they produce "fat code" which is not needed. Also someoone can tell what you been using

 

III) About the uploading of the pages, its true, every single page would need to be changed. Remember FTP comes off your bandwidth allowance. Includes would mean a single page and a lot less FTP

 

IV) Bad point about includes is that your page will look odd until its on the server. If you have Dreamweaver MX, you can tick the box to make sure includes are shown.

 

Jim

[natimage]

I'm still in a state of shock, but I got the include function to work!!! I could not get it to work with this quoted line of code:

$dbh=mysql_connect ("localhost", $db, $ps)or die ('I cannot connect to the database because: ' . mysql_error());

 

...maybe in the connection string, where you have $db was a typo that should have said $us...??? Please tell me if I'm wrong.

 

I added the hostname to my "keys" file and edited the above code to look like this in order to work:

>$dbh=mysql_connect ($hs, $us, $ps)or die ('I cannot connect to the database because: '
 . mysql_error());

 

Feels good to get something to work. Now I just have to figure out how to use the info in the database!!!

 

Tracy

[natimage]

By the way...all points taken and understood concerning DWMX templates versus php include headers/footers! Makes much more sense now, and I agree!

 

Thanks a bunch!

 

...I think I need to return my PHP/Dreamweaver book and get a plain 'ole PHP book!!

[Sarah]

What happens if you can't password protect a folder outside the public_html directory?? Cpanel won't let you do that..

 

 

Sarah

[Lianna]

Anything outside of the public_html directory can't be accessed via the web anyway...am I missing something or what's the point of protecting a directory that no one can get to in the first place?

[Sarah]

Ok, that's what I thought, but I wasn't sure... since someone said to password protect that directory and you couldn't from Cpanel.

 

Well, I just made a folder outside public_html and put some hidden data into it , then referenced it in an include and it worked great.

 

Now, the only thing that I have to figure out is these file permissions and which to set them to so people can't change my files. Anyone help me?

[Lianna]

Try this page of the TotalChoice Web Hosting Helpsite:

 

http://www.totalchoicehosting.com/help/id85.htm

[idallen]

Post removed.

 

Whilst I don't mind open discussion about security in the forums, we should make sure that potential hacking methods are not discussed in open forums. No need to feed fuel to the script kiddies of the world.

 

Please keep this type of discussions to Private Messages.

Edited August 29, 2003 by Head Guru

[Sarah]

Well, too bad I don't know any CGI scripting. Is that the only way?