• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • It's cheaper to let their 3rd party sales people do more than supporting thousands in-house. Sucks for those who lost a job but these tech and entertainment companies overstaffed with the lockdown and the huge boost in demand they got when everyone was stuck at home.
    • The Xbox game bar says hi. It's been able to show you CPU, RAM, GPU and FPS for as long as I can remember.
    • WinSCP 6.5.2 by Razvan Serea  WinSCP is an open source free SFTP client, FTP client, WebDAV client and SCP client for Windows. Its main function is file transfer between a local and a remote computer. Beyond this, WinSCP offers scripting and basic file manager functionality. WinSCP features: Graphical user interface Translated into several languages Integration with Windows (drag&drop, URL, shortcut icons) U3 support All common operations with files Support for SFTP and SCP protocols over SSH-1 and SSH-2 and plain old FTP protocol Batch file scripting and command-line interface Directory synchronization in several semi or fully automatic ways Integrated text editor Support for SSH password, keyboard-interactive, public key and Kerberos (GSS) authentication Integrates with Pageant (PuTTY authentication agent) for full support of public key authentication with SSH Explorer and Commander interfaces Optionally stores session information Optionally supports portable operation using a configuration file in place of registry entries, suitable for operation from removable media WinSCP 6.5.2 changelog: Thumbnail view in file panels. Three selectable sizes of toolbar icons, showing slightly larger size by default. Switching to Segoe UI font with slightly larger size. Improvements to Synchronization checklist window, including resolving file moves and pushing synchronization to background queue. Ongoing local delete operation can be moved to a background queue. Optimized working with large local directories. Compatibility with new OneDrive WebDAV interface. Dark theme for session tabs. Improvements to S3 support, including more options to authentication and display and modification of S3 file/object tags. List of all changes. Download: WinSCP 6.5.2 | 11.6 MB (Open Source) Download: WinSCP MSI | 28.7 MB Download: Standalone Executable | 8.4 MB Link: WinSCP Home page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • QOwnNotes 25.6.2 by Razvan Serea QOwnNotes is a open source (GPL) plain-text file notepad with markdown support and todo list manager for GNU/Linux, Mac OS X and Windows, that (optionally) works together with the notes application of ownCloud (or Nextcloud). So you are able to write down your thoughts with QOwnNotes and edit or search for them later from your mobile device (like with CloudNotes) or the ownCloud web-service. The notes are stored as plain text files and you can sync them with your ownCloud sync client. Of course other software, like Dropbox, Syncthing, Seafile or BitTorrent Sync can be used too. Features: the notes folder can be freely chosen (multiple note folders can be used) sub-string searching of notes is possible and search results are highlighted in the notes application can be operated with customizable keyboard shortcuts external changes of note files are watched (notes or note list are reloaded) older versions of your notes can be restored from your ownCloud server trashed notes can be restored from your ownCloud server differences between current note and externally changed note are showed in a dialog markdown highlighting of notes and a markdown preview mode notes are getting their name from the first line of the note text (just like in the ownCloud notes web-application) and the note text files are automatically renamed, if the the first line changes compatible with the notes web-application of ownCloud and mobile ownCloud notes applications compatible with ownCloud's selective sync feature by supporting an unlimited amount of note folders with the ability to choose the respective folder on your server manage your ownCloud todo lists (ownCloud tasks or Tasks Plus / Calendar Plus) or use an other CalDAV server to sync your tasks to encryption of notes (AES-256 is built in or you can use custom encryption methods like Keybase.io (encryption-keybase.qml) or PGP (encryption-pgp.qml)) dark mode theme support theming support for the markdown syntax highlighting all panels can be placed wherever you want, they can even float or stack (fully dockable) support for freedesktop theme icons, you can use QOwnNotes with your native desktop icons and with your favorite dark desktop theme support for hierarchical note tagging and note subfolders support for sharing notes on your ownCloud server portable mode for carrying QOwnNotes around on USB sticks Evernote import QOwnNotes is available in many different languages like English, German, French, Polish, Chinese, Japanese, Russian, Portuguese, Hungarian, Dutch and Spanish Changes in QOwnNotes 25.6.2: The Find action dialog is now working again (for #3294) Added more French translation (thank you, jd-develop) Download: QOwnNotes 25.6.2 | 37.3 MB (Open Source) Download: QOwnNotes for Other Operating Systems View: QOwnNotes Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • First Post
      Fuzz_c earned a badge
      First Post
    • First Post
      TIGOSS earned a badge
      First Post
    • Week One Done
      slackerzz earned a badge
      Week One Done
    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      704
    2. 2
      ATLien_0
      279
    3. 3
      Michael Scrip
      209
    4. 4
      +FloatingFatMan
      197
    5. 5
      Steven P.
      130
  • Tell a friend

    Love Neowin? Tell a friend!