Pro CSS3 Animation, Apress, 2013
Massive Head Canon
The New Defaults
CSSslidyThe most common method of restricting access to files on a web server is with an .htaccess file. While this obviously works, it is somewhat fragile: the entire protective strength of the technique relies on a string of characters in a text file.
A better technique is to lift the files and folders that you wish to protect completely free from the web root, placing them elsewhere on the server. This means that no outside HTTP request can ever touch them . It’s a technique often suggested by frameworks and Content Management Systems, and is much more secure, but it comes with three challenges:
The good news is that if your web hosting provider does allow you to roam free on the server, you can achieve this level of protection quickly.
First, let’s look at a typical web hosting setup. In this case, an Ubuntu LAMP stack at my preferred vendor, Digital Ocean:
As you can see, this hosting company gives me complete access to the server. The site files are contained in an html folder, which exists inside a www folder. In turn, these are contained in a var folder, along with many other directories.
All the publicly accessible files are in the html folder, while I desire certain files, such as PHP includes, database connection scripts and framework config files, to be inaccessible to normal users, while they remain available to the site itself.
Learning The Path
The first step is working out exactly where the html folder is on the server. While you might be able to work that out from the structure shown above, there’s one foolproof method, so long as your server is running PHP; create a quick test.php page containing a single line of code:
<?php echo __FILE__; ?>Upload test.php to the public web folder (html, in this case) and view it in a browser using the complete URL:
http://mysite.com/test.phpThe result, printed out on the page, will probably look something like this:
/var/www/html/test.phpOn a local testing server like MAMP, it might look like this:
/Applications/MAMP/htdocs/test.phpRegardless of the details, you have the information you need: the actual location of this page on the server. Given that information, we can work “backwards” from the public location, to a new private folder we’ll create in the next step.
Before doing so, record the information reported by the page and delete test.php from the server.
Crafting A Location
Now that we know the path, we can create a folder above the level of the public folder, aka the “web root”. In my case, I’ve decided to create a folder called includes. Into this will go any sensitive data that I don’t want revealed to eyes peering through a browser. For the purposes of demonstration, I’ve placed a private.inc file in the new folder.
Using The New Location
To use private.inc in a page, we must be slightly clever with paths. In the case of using private.inc on the server demonstrated here, I would use the following on a public page contained in the html folder:
<?php include ("/var/includes/private.inc") ?>This allows me to use the include file without ever making it publicly available: a neat trick.