Exposed folders in MVC application

1
votes

Well, as a start please excuse me for my beginner English..

I want to know more about security in PHP MVC applications

I've created my own MVC, I still haven't finished it.
My application directory is exposed by URL access with child elements.

How to make this hidden from visitors?

Following is what I am trying

Apache mod_rewrite ?

I still don't know to make it empty index.html in each folder like the framework Codeigniter ?

What to use for something to indicate ? and, ... how to make ?

Edit I know a litte something about rewrite_rules

Below is my .htaccess

    Options -MultiViews
    RewriteEngine On
    RewriteBase /ligia

    #RewriteCond %{REQUEST_FILENAME} -f [OR]
    #RewriteCond %{REQUEST_FILENAME} -l [OR]
    #RewriteCond %{REQUEST_FILENAME} -d
    #RewriteRule .+ -
    #I know, it is commented

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteRule "^(.+)$"    "index.php?uri=$1"   [QSA,L]

But I am afraid if this is the best way to hold my MVC application security!?

I need help!

1
phpsecuritymod-rewritemodel-view-controller
If they are a visitor then they wont be logged in. Test this value before showing the option on the web page i.e. if( user_logged_in ) { show links }user2417483
place all the framework code outside the webroot. eg with a typical cpanel apache server, place it outside public_html. Only have your entry point (index.php) and any static assets (css, js, imgages) in the webrootSteve
Please learn the basics of the technologies and read appropriate books and tutorials before you ask questions on SO.Maciej Jureczko

1 Answers

1
votes

First make sure that your .htaccess file is in your document root (the same place as index.php) or it'll only affect the sub-folder it's in (and any sub-folders within that - recursively).

Next make a slight change to your rule so it looks something like:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?path=$1 [NC,L,QSA]

At the moment you're just matching on . which is one instance of any character, you need at least .* to match any number of instances of any character.

If you want the whole shebang installed in a sub-directory, such as /mvc/ or /framework/ the least complicated way to do it is to change the rewrite rule slightly to take that into account.

RewriteRule ^(.*)$ /mvc/index.php?path=$1 [NC,L,QSA]

And ensure that your index.php is in that folder whilst the .htaccess file is in the document root.

NC = No Case (not case sensitive, not really necessary since there are no characters in the pattern)

L = Last (it'll stop rewriting at after this Rewrite so make sure it's the last thing in your list of rewrites)

QSA = Query String Apend, just in case you've got something like ?like=penguins on the end which you want to keep and pass to index.php.