Secure MVC Website Structure
You may have stumbled upon some weird constructs that mix presentation and logic all the way in. It’s hard to work with this kind of code. This little tutorial shows how to create a simple MVC structure that fits any website or web application and ease the development and maintenance.
Let’s start with a proper schema. Simple Model-View-Controller structure example is available in the picture below.
This directory setting has one primary requirement - you need to direct each user’s request using virtual hosts (properly configured domain) or symbolic links to the web/ directory. For the sake of this tutorial, let’s assume that our domain, www.example.com already does that. Now that’s where the magic happens - .htaccess file should look as follows:
Let’s analyse it’s code line by line:
- The code’s wrapped in an IfModule which checks for mod_rewrite availability. It’s an apache module that enables the rewrite engine on the server.
- RewriteEngine On enables usage of all rule rewrites in the file
- Third line checks if the file requested by the user exists. For example, let’s say that user wanted to access www.example.com/abc.php. Since we don’t want to keep any Php files in the web/ directory, abc.php just won’t be there. And that’s when !-f flag comes into the play - when requested file doesn’t exist, following RewriteRule set is executed.
- RewriteRule located here is executed only when above RewriteCond is true. It basically redirects any request to index.php file including any query string that has been passed to previously requested file (QSA flag’s responsible for that). From there user’s request is dispatched to proper controller.
That’s basically it. User will be able to access any file located in web/ subdirectories but won’t have any possibility to browse any directory above. This way we secure our website or web application against accidental data leaks through uncontrolled file access by URL manipulation or index browsing (when Options +Indexes is enabled in directory or apache config).
Rest of the structure has following functions:
- config - all config files, containing database login, password and stuff like that, should be placed here,
- controller - contains controllers that process user’s request, fetch data from the model and pass them to the view,
- lib - holds external libraries used in the development process,
- model - contains classes with methods used to communicate with the database and some business logic,
- template - all view files should be placed here
Using what was presented here your logic and presentation will be properly separated and provide protection against unauthorized file access - the rest is up to the developer. I encourage to use at least this kind of simple MVC structure, it’ll make your life easier. You may even avoid a beating. Or not.