Root Explorer PHP

Editing: config.php

<?php
// web/dashboard/includes/config.php

/*--------------------------------------------------------------
# 1. Access Control & Environment Setup
--------------------------------------------------------------*/
// Prevent direct access
declare(strict_types=1);
if (!defined('ABSPATH')) {
    define('ABSPATH', dirname(__FILE__) . '/');
    if (basename($_SERVER['SCRIPT_FILENAME']) === basename(__FILE__)) {
        http_response_code(403);
        die("<h1>403 Forbidden</h1><p>Direct access not permitted.</p>");
    }
}

// Environment detection
define('ENVIRONMENT', 'production'); // Change to 'development' when testing

/*--------------------------------------------------------------
# 2. Database Configuration (Use environment variables in production)
--------------------------------------------------------------*/
// Database credentials (Replace with environment variables in production)
define('DB_HOST', 'localhost');
define('DB_USER', 'u456045770_smartrmeshop');
define('DB_PASS', 'Yes@im@270@210');
define('DB_NAME', 'u456045770_srmediashop');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', 'utf8mb4_unicode_ci');

/*--------------------------------------------------------------
# 3. Path Configuration (Required for uploads)
--------------------------------------------------------------*/
if (!defined('base_url')) {
    // Auto-detect secure protocol
    $is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') 
                || ($_SERVER['SERVER_PORT'] ?? 80) == 443;
    
    // Validate allowed domains
    $allowed_domains = ['momoeshop.com', 'www.momoeshop.com'];
    $current_domain = $_SERVER['HTTP_HOST'] ?? 'localhost';
    
    if (ENVIRONMENT === 'production' && !in_array($current_domain, $allowed_domains)) {
        header("HTTP/1.1 400 Bad Request");
        die("Invalid domain access");
    }
    
    define('base_url', ($is_https ? 'https://' : 'http://') . $current_domain . '/');
}

if (!defined('base_app')) {
    // Secure base path calculation
    $base_path = realpath(__DIR__ . '/../../') . '/';
    
    // Validate path structure
    if (strpos($base_path, '/home/') !== 0) { // Adjust based on server structure
        die("Invalid base path configuration");
    }
    
    define('base_app', $base_path);
    
    // Secure upload directory setup
    $upload_dir = base_app . 'uploads/';
    if (!is_dir($upload_dir)) {
        mkdir($upload_dir, 0755, true);
        file_put_contents($upload_dir . '.htaccess', 
            "Order deny,allow\nDeny from all\n"
            . "<FilesMatch '\.(jpe?g|png|gif|webp)$'>\n"
            . "Allow from all\n</FilesMatch>\n"
            . "php_flag engine off\n");
    }
}

/*--------------------------------------------------------------
# 4. Security Headers
--------------------------------------------------------------*/
header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("Content-Security-Policy: default-src 'self'");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: geolocation=(), microphone=()");
header("X-XSS-Protection: 1; mode=block");

/*--------------------------------------------------------------
# 5. Error Handling
--------------------------------------------------------------*/
if (ENVIRONMENT === 'development') {
    error_reporting(E_ALL);
    ini_set('display_errors', '1');
    ini_set('log_errors', '1');
    ini_set('error_log', base_app . 'logs/php_errors.log');
} else {
    error_reporting(0);
    ini_set('display_errors', '0');
    ini_set('log_errors', '1');
    ini_set('error_log', base_app . 'logs/php_errors.log');
}

/*--------------------------------------------------------------
# 6. Session Security
--------------------------------------------------------------*/
session_name('SECURE_SESS');
ini_set('session.cookie_lifetime', 0);
ini_set('session.cookie_secure', ENVIRONMENT === 'production');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_strict_mode', '1');
ini_set('session.gc_maxlifetime', 1800); // 30 minutes

session_start();

// Regenerate ID every 15 minutes
if (!isset($_SESSION['last_regeneration']) || time() - $_SESSION['last_regeneration'] > 900) {
    session_regenerate_id(true);
    $_SESSION['last_regeneration'] = time();
}

/*--------------------------------------------------------------
# 7. CSRF Protection
--------------------------------------------------------------*/
if (empty($_SESSION['csrf_tokens'])) {
    $_SESSION['csrf_tokens'] = [];
}

// Generate new token if none exists or expired
$csrf_token_id = bin2hex(random_bytes(16));
$_SESSION['csrf_tokens'][$csrf_token_id] = [
    'token' => bin2hex(random_bytes(32)),
    'expires' => time() + 3600, // 1 hour expiration
    'ip' => $_SERVER['REMOTE_ADDR']
];

/*--------------------------------------------------------------
# 8. Database Connection
--------------------------------------------------------------*/
try {
    $conn = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
    
    if ($conn->connect_errno) {
        throw new RuntimeException("Database connection failed: " . $conn->connect_error);
    }
    
    // Set secure connection parameters
    $conn->set_charset(DB_CHARSET);
    $conn->query("SET time_zone = '+00:00'");
    $conn->query("SET sql_mode = 'STRICT_ALL_TABLES'");
    
} catch (RuntimeException $e) {
    error_log($e->getMessage());
    die("Database connection error. Please try again later.");
}

/*--------------------------------------------------------------
# 9. File Upload Security
--------------------------------------------------------------*/
function secure_upload_path(string $path): string {
    $real_base = realpath(base_app) . DIRECTORY_SEPARATOR;
    $user_path = realpath(dirname($path));
    
    if ($user_path === false || strpos($user_path, $real_base) !== 0) {
        throw new InvalidArgumentException("Invalid file path");
    }
    
    return $path . DIRECTORY_SEPARATOR . basename($path);
}

function generate_filename(string $original): string {
    $extension = pathinfo($original, PATHINFO_EXTENSION);
    $allowed = ['jpg', 'jpeg', 'png', 'webp', 'gif'];
    
    if (!in_array(strtolower($extension), $allowed)) {
        throw new InvalidArgumentException("Invalid file type");
    }
    
    return hash('sha256', uniqid() . $original) . '.' . $extension;
}

[ CANCEL ]

Name	Type	Actions
.. (Parent Directory)
📄 affiliate_requests.php	FILE	[EDIT]
📄 config.php	FILE	[EDIT]
📄 footer.php	FILE	[EDIT]
📄 header.php	FILE	[EDIT]
📄 nav.php	FILE	[EDIT]
📄 pagetitle.php	FILE	[EDIT]
📄 sidebar.php	FILE	[EDIT]

[ Root System Explorer ]

Editing: config.php