Help with security doubt (PHP MYSQL APACHE Windows)

for example i have this url: http://localhost/miSite/uploads/ and by doing:

http://localhost/miSite/uploads/../includes/, this results in 开发者_C百科a directory (includes) linsting.

It'd be great if you could tell me a way to resolve this.

Directory Indexing

You can also use .htaccess to disable indexing, or Directory Browsing. By default, this option is turned on in the server's configuration files. To disable this, add this line to your .htaccess file:

Options -Indexes

The possibility of using relative references is not a real problem:

http://localhost/miSite/uploads/../includes/

resolves to

http://localhost/miSite/includes/

which can be addressed directly anyway. If you have sensitive files in there, you should move them outside the web root, or block the directory listing.

What would be a real problem is if the following would work:

http://localhost/../miSite/includes/

which would serve files outside the document root. But that will not happen with an up-to-date web server.

There's 3 things you can do, ranging from least secure to most secure.

1. Disable indexes as proposed by @Lizard
2. Make a rule in the htaccess file to deny access to folders people aren't allowed to access
3. Move the files that shouldn't be accessed outside of the DocumentRoot.