:-\ What I know is that a username/password can be incorporated in a URL:
I have run scripts in protected folders via Cron like that. However, if you incorporate username/pass into your source it will be only be protected against superficial users. It would be clearly visible in the source.
Two other thoughts: You could call a php or asp script from the form and this script would then call the protected script.
Or you could try to make rewrite rules that only allow certain referrers (although this could be spoofed).
OK, just my 2p...
Hope it helps,
|You could call a php or asp script from the form and this script would then call the protected script. |
You mean call a script from an unprotected directory which uses an include to call the real script from the protected directory?
<added>I tried that. I get a 500 Internal Server Error</added>
|<added>I tried that. I get a 500 Internal Server Error</added> |
What exactly gave you the 500 error?
I do something pretty similar to what you want to do on my site. About 3/4 of my code and all the templates are in protected directories to prevent direct access by outsiders. Then my script includes the protected files as they are needed. Works fine.
Thanks for your reply BlueSky. The 500 error is very vague, and I checked my error logs but it doesn't look like this error was recorded.
Can you provide an example of how you set your site up? Here's what I did to generate the 500 error:
I put my real scripts in 'newfolder' and renamed them to 'scriptname_script'. I removed the password from 'cgi-bin' and applied it to 'newfolder'. Then I replaced each script in the cgi-bin with a new script with this include statement:
<? include "../newfolder/scriptname_script.php";?>
<added>I also tried putting 'newfolder' in 'cgi-bin' and changing the include statement to
<? include "newfolder/scriptname_script.php";?>. Still got the 500 server error.</added>
In answer to your first question, to keep people from browsing through your cgi-bin, either take the indexes option off of that directory, or put a (possibly empty) index.html or index.cgi in there to keep them from seeing the directory index.
Well, scratch that...I see you went down per the section you added. If your unprotected scripts are at the same level as your /newfolder, try this with the php as part of the tag:
<?php include "newfolder/scriptname_script.php";?>
If that doesn't work, unprotect the directory and try the include again. It kinda sounds like the path is off but might as well rule out the protection being in the way. I've never run PHP as a CGI only as a module which works fine with protected directories. So, I don't see why the CGI wouldn't work too. In fact, I include some protected files located in the CGI-BIN.
[edited by: BlueSky at 7:26 pm (utc) on Sep. 21, 2003]
What are requires?
My paths are fine - cgi-bin contains 'newfolder'. 'newfolder' contains the actual scripts and the scripts in 'cgi-bin' call them with this path "newfolder/scriptname_script.php".
|What I have is a few directories in the cgi-bin so I protected the whole bin. Then outside I call the protected files with includes or requires. |
See I use a form so in order to run the script I cant use an include, unless I put the include in another script that the form calls.
When I wrote that you had posted the path was going upwards. That is why I said your path sounded off. By the time I posted, you had added that you tried it going downwards. Requires are similar to includes but used unconditionally.
Sounds like you need to rework your script a little to handle includes.
|By the time I posted, you had added that you tried it going downwards. |
Hehe sorry bout that.
|Sounds like you need to rework your script a little to handle includes. |
Here is my form:
<form action="cgi-bin/fakescript.php" method="post">
<input type=text value="email@example.com" name="email" size="20">
<input type="SUBMIT" VALUE="Submit">
My fake script:
<?php include "scripts/realscript.php";?>
My real script:
500 Internal Server Error :(
I guess that works after all. My host didn't have my cgi-bin activated. Thanks for your help.