PHP security - Website Directory Structure

So I have a fairly noobish question, I have been reading up a lot around the subject, but can't quite find the answer I want, so bear with me...

I have a fairly simple website that I have been designing, consisting of the following:

1) HTML and PHP files that I w开发者_运维问答ant the user to be able to access directly by typing in the url in the browser.

2) HTML files that are only to be viewed inside an iframe in 1) (don't ask me why I used iframes)

3)PHP files that are called on by 1), e.g. when form data is submitted. I want 2) and 3) to be accessible to 1), but not directly accessible to the user by typing in the url.

4) images and includes, etc.

5) maybe this is a different issue altogether, but I also have a MySQL database.

I understand that I can control access to files by putting them in private/public folders in the website directory? My question is how should my directory structure be and where should I put 1), 2), 3), etc.?

Thanks a lot for your help.

Your directory structure does not matter. Any URL that is accessible to some users is accessible to all users. You only have control over the content of that URL.

If you really need to limit access to the content loaded by 1) you have to use PHP to serve the content. That PHP script can check some parameters or login credentials or something that makes sure the URL has been loaded by 1).

However, it's hard to give you a clear answer since you don't describe the concrete problem you're having. For example, it makes much difference how secure the method needs to be. For example, it's rather simple to check if a URL is loaded inside a frame using JavaScript but that check is not hard to circumvent.

Your httpdocs directory is your Apache DocumentRoot (found in /etc/httpd/conf/httpd.conf) or your vhost DocumentRoot (if you've got vhosts defined), so assuming Linux:

1,2,4 should go into /var/www/vhosts/sitename.com/httpdocs/ - these are directly accessible through the browser.

3 should go into /var/www/vhosts/sitename.com/library/. When the user submits data it should hit a handler page (the user must be able to "see" this page) and that page includes the necessary files from this library directory. As long as your server is configured to run PHP for all *.php scripts this is probably unnecessary, as there is little advantage to be gained from hiding PHP scripts. If you don't want them invoked directly and you'd like to leave them in a publicly accessible area, try:

public script:

define('INVOKED_BY_SCRIPT', true);
...
include "../library/hiddenScript.php";

"hidden" script:

if (!defined('INVOKED_BY_SCRIPT') || true !== INVOKED_BY_SCRIPT) {
    echo "Cannot invoke directly";
    exit;
}

Your MySQL database should be in /var/lib/mysql, or wherever it's been installed by default. Be sure to run the MySQL security script mysql_secure_installation to remove default passwords and test databases.

Everything except the includes should be in your public_html directory.

For 3, it is not possible to have a PHP script that can be referenced by a form, but it not accessible by the user typing in the address into the address bar. The best you could do is to check the post variables to see whether anything has been posted. You could check the HTTP_REFERER variable, but I would not recommend this since it cannot be relied on.

• You can't make HTML only to be viewed inside an iframe

• There are NO files called by 1). It's users browser that calls your files.

So, just leave your directory structure as is, it's okay.

What you're probably looking for is a way to "hide" your executable files outside of the document root, which you can do with a directory structure something like this:

• public_html <-- (document root)
  • index.php <-- (publicly accessed index file)
  • images
  • htmlstuff
• private_index.php <-- (application's "real" index file)
• application
• tmp

Then, for public_html/index.php, you'd just have:

<?php
require_once('../private_index.php');