• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Dead By Daylight and three more games join Xbox Free Play Days this weekend by Pulasthi Ariyasinghe As the weekend approaches, Microsoft has brought along another Free Play Days promotion for Game Pass subscribers to jump into. This time, Dead by Daylight, Headbangers: Rhythm Royale, Trailmakers, and Synduality Echo of Ada are all available for Xbox Game Pass Ultimate, Standard, and Core members for no extra cost. As always, any progress made during the weekend also carries over automatically if you decide to purchase a game afterward. From the four games available, Dead by Daylight should be the most familiar to most gamers. The multiplayer four-versus-one asymmetric survival horror game has you assuming the roles of survivors or the killer to see who can come out on top. Next, Headbangers: Rhythm Royale lands as a light-hearted, rhythm-based battle royale game. Up to 30 players can be in a single round, all represented as pigeons, before various mini-games involving increasingly difficult rhythm challenges get thrown at the group. The last remaining pigeon becomes the "Master Headbanger." Meanwhile, Trailmakers is a popular sandbox experience where you and your friends construct physics-based vehicles. A wide range of modular parts are offered for making these vehicles, with an exploration element also adding more options to search for. Adventure, sandbox, and racing modes arrive as options for playing either solo or in multiplayer. Lastly, the Synduality Echo of Ada is a sci-fi extraction shooter experience where you control mechs as you search for loot while fighting AI and other players. Here are the store links for the announced titles and their supported platforms: Dead by Daylight - $11.99 (Xbox Series X|S, Xbox One) Headbangers: Rhythm Royale - $3.99 (Xbox Series X|S, Xbox One, PC) Trailmakers - $14.99 (Xbox Series X|S, Xbox One, PC) SYNDUALITY Echo of Ada - $29.99 (Xbox Series X|S) This Free Play Days promotion will end on Sunday, June 22, at 11:59 pm PT. Following this, expect another round of games to enter the program next Thursday, June 26.
    • I'm not simping, I'm telling it how it is. This is the norm and has been forever. Profits need to keep growing, it doesn't matter if you are valued at a trillion or a million. As long as you are part of public trading that's the name of the game. If it's cheaper for the company to outsource, they will, and you'll get laid off. Welcome to capitalism 101. Like I said, the problem is the system itself.
    • Samsung may offer Galaxy AI free for life on the Galaxy Z Fold7, Z Flip7, and Z Flip7 FE by Sagar Naresh Bhavsar Samsung is all set to unveil its latest foldables: the Galaxy Z Fold7, Z Flip7, the affordable Z Flip7 FE, along with the Galaxy Watch8 series at the Unpacked event, possibly in New York City. The Galaxy Z Fold7 is expected to be the thinnest book-style foldable from the company, while the Galaxy Z Flip7 is tipped to come with a full-screen cover display. These devices are almost confirmed to launch with Android 16-based One UI 8 out of the box, the beta of which is already live for the Galaxy S25 series. Samsung is also expected to give a glimpse of its first XR headset, the Galaxy XR, dubbed "Project Moohan," at the event. However, there may be something more exciting coming for upcoming foldable fans. A reliable leaker, PandaFlashPro on X, has tipped that you might get all Galaxy AI features for free for life with the upcoming Galaxy Z Flip7 and Galaxy Z Fold7. Notably, Galaxy AI will also reportedly be permanently free on the affordable Galaxy Z Flip7 FE. The leaker also claimed that the Galaxy Z Fold7, Z Flip7, and Z Flip7 FE will also come with Gemini Advanced plus 2TB of cloud storage, free for six months. This is similar to theoffer that Samsung offered the Galaxy S25 series earlier this year. However, the company cleared the air that the Galaxy AI features on the Galaxy S25 series will be free till the end of 2025, after which a subscription-based model will be introduced. If true, then you will be able to enjoy Galaxy AI features such as Sketch to Image, Generative Image, Note Assist, Live Translate, Interpreter, Chat Assist, etc., free for a lifetime on the upcoming foldables, setting it apart from its competitors.
    • Summary for all: Some WD SSDs need firmware updates for 24H2.
    • Next-gen AMD GPUs reported to support HDMI 2.2 with up to 80Gbit/s bandwidth by Aditya Tiwari Some beans have spilled around AMD's rumored upgrades for its next-generation graphics architecture. The American silicon giant is expected to support up to 80 Gbps mode on HDMI 2.2 for its upcoming graphics architecture, internally codenamed GFX13, and expected to launch as RDNA 5 or UDNA. The latest information comes from the leaker @Kepler_L2, who took to their social media account on X (via VideoCardz). It strengthens the hopes of the latest HDMI standard and support for faster bandwidth making their way to the next generation of AMD GPUs. The HDMI 2.2 standard was announced earlier this year and released to manufacturers in the first half of 2025. It pushes the maximum allowed bit rate to 96 Gbps and supports Latency Indication Protocol (LIP) to improve audio and video synchronization. However, according to Kepler's post, RDNA 5 GPUs are expected to support only 64 Gbps and 80 Gbps modes. This suggests that the 96 Gbps mode may not be supported on the new architecture, while it remains unclear whether this is due to some hardware limitation or will be added later. Although the new piece of information pertains to GFX13, it doesn't clarify whether it's related to the PRO or Radeon RX series. The company has previously used UHBR 13.5 (54 Gbps) for its consumer-focused GPUs to reduce costs while supporting UHBR 20 (80 Gbps) on PRO cards, according to the leaker. It remains to be seen whether AMD treats the two product lines the same or differently. Another standard announced earlier this year was DisplayPort 2.1b, which keeps the same maximum bandwidth of 80 Gbps but supports three times the cable length for UHBR20 GPU-to-display connections compared to existing VESA-certified DP80 passive cables. The new standard is supported on NVIDIA's RTX 50 and RTX PRO Blackwell series GPUs. For now, there is no update on whether AMD will bring DisplayPort 2.1b support to the GFX13 architecture.
  • Recent Achievements

    • First Post
      MikeK13 earned a badge
      First Post
    • One Month Later
      OHI Accounting earned a badge
      One Month Later
    • Week One Done
      OHI Accounting earned a badge
      Week One Done
    • First Post
      Thornskade earned a badge
      First Post
    • Week One Done
      Higante88 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      709
    2. 2
      ATLien_0
      269
    3. 3
      Michael Scrip
      202
    4. 4
      +FloatingFatMan
      178
    5. 5
      Steven P.
      129
  • Tell a friend

    Love Neowin? Tell a friend!