• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Atomic Heart is getting a sequel and an MMO RPG spin-off by Pulasthi Ariyasinghe Atomic Heart arrived in 2023 as one of the biggest action game surprises, offering players an alternative history version of the Soviet Union to explore where the player is in the middle of a robot uprising. Just as the original passes 10 million players, developer Mundfish today unveiled two new games at the Summer Game Fest showcase. First up is Atomic Heart 2, a full-fledged sequel that has players returning to the over-the-top retrofuturistic setting for another wacky adventure. The studio promises an expanded RPG system, a story that picks up from the original, bringing back all the fan-favorite characters, as well as an "explosive combat system" that now let players use both hands for their powers and standard weaponry. “Ever since the launch of the original Atomic Heart, we’ve been floored by the unwavering support and enthusiasm of our playerbase. When we set out to create the Atomic Universe, we never imagined that the community would respond with such amazing passion,” shared Robert Bagratuni, Founder and CEO of Mundfish, and Game Director of Atomic Heart 2. He continues, “It’s been hard sitting on this announcement for so long, but today, at Summer Game Fest, we’re incredibly happy to finally and officially announce that Atomic Heart 2 is coming, and it’s bigger and bolder than the original.” Built on Unreal Engine 5, Atomic Heart 2 is coming to PC and consoles. A release window has not been attached to the project yet. Next, the studio revealed it's working on a unique spin-off that's set in the same universe. Dubbed The Cube, it will be a massively multiplayer online RPG shooter experience that has players entering a giant cube structure in the sky for survival. Aside from fighting massive monsters and the cube itself, the unique element comes from how the environment will scramble like a Rubik's cube. This unstable arena will offer players new opportunities without needing to travel large distances in an open world. The Cube does not have a release date attached to it either.
    • Game of Thrones is getting a real-time strategy game on PC: War For Westeros by Pulasthi Ariyasinghe A brand-new game is coming out based on George R. R. Martin's A Song of Ice and Fire universe, and surprisingly, it's a full-fledged real-time strategy game for PC. Titled Game of Thrones: War For Westeros, the new title was revealed at the Summer Game Fest 2025 kickoff show today. Check out the debut trailer below, which features plenty of familiar faces from the television series, as well as fights that many probably wished they saw in the story. It looks like players' actions will have some major deviations from how the storyline actually played out in the series, with major characters dying, switching sides, and having massive wars against each other. Unfortunately, no gameplay was revealed in the trailer. War of Westeros is being developed by PlaySide, which may be familiar to those who have played their previous real-time strategy experience, Age of Darkness: Final Stand. The studio said today that its new project will offer players House Stark, House Lannister, House Targaryen, or even the Night King's forces as factions they can take the role of in their journey. " Each faction offers deeply asymmetric strategies, with signature heroes, armies, and mechanics forged from the brutal legacy of Westeros," adds the company. Infantry, cavalry, siege engines, giants, and dragons will all be available for deployment during battles, both when attacking other factions and when defending. The title will be playable solo to take over the Seven Kingdoms, as well as in multiplayer, where a free-for-all mode will enable multiple players to lead forces against each other for victory. Game of Thrones: War for Westeros is currently only announced for PC, with a Steam page already available for fans to wishlist. A release date, nor pricing, has not been revealed just yet, with the title slated to launch sometime in 2026.
    • What do you consider modern hardware? Mine is a few years old, but you can't tell me that a 5900x with a RTX 3080 should be slow with a Windows UI because they are 4 years old. No one said it didn't run perfectly fine; we said it was slower than 10, and it factually is, to the point that saying anything else is just propaganda.
    • Sorry if video games weren't supposed to be included but this is the only intro that sold me on a game before even playing it    
  • Recent Achievements

    • Mentor
      Karlston went up a rank
      Mentor
    • One Month Later
      EdwardFranciscoVilla earned a badge
      One Month Later
    • One Month Later
      MoyaM earned a badge
      One Month Later
    • One Month Later
      qology earned a badge
      One Month Later
    • One Year In
      Frinco90 earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      484
    2. 2
      snowy owl
      253
    3. 3
      +FloatingFatMan
      252
    4. 4
      ATLien_0
      214
    5. 5
      Xenon
      150
  • Tell a friend

    Love Neowin? Tell a friend!