• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Wish you could set the WiFi country without setting an SSID. This would stop the warning on every boot.
    • Huawei's Mate XT successor launches this year with a performance and camera boost by Hamid Ganji Last year, Huawei reimagined our perception of folding smartphones by launching the world's first tri-folding device, Mate XT. Contrary to regular folding smartphones like the Samsung Galaxy Z Fold 6, the Huawei Mate XT utilizes a dual-hinge mechanism that allows the device to fold into a "Z" shape. The success of the Mate XT has allegedly prompted Huawei to release a sequel this year. Chinese tipster Digital Chat Station on Weibo says Huawei will release a successor in the second half of 2025. While the folding and screen solution remain unchanged, the tipster claims the second-generation Mate XT gets a faster processor and upgraded camera setup. Digital Chat Station says Huawei will also improve the device's accessories. Last year's Mate XT included an Aramid Fiber Case with an integrated rotating stand in the box as official accessories. Though the tipster doesn't mention quality improvements, Huawei could reinforce the phone's folding endurance. As for the release date, the first-generation Mate XT was released in September 2024, and the Mate XT 2 might also be released at the same time. Interestingly, Huawei announced its Mate XT, the world's first tri-folding device, on September 10 last year, just one day after Apple announced its iPhone 16 series. If Huawei wants to tease Apple again, we can expect the Mate XT 2 to drop simultaneously with the iPhone 17 series. While these devices are not in the same category, Huawei's rivalry with Apple is common knowledge. Tri-folding smartphones provide bigger screens at a more compact size compared to tablets. For example, the Huawei Mate XT has a screen size of 10.2 inches when it's fully open and 7.9 inches when folded once. Also, when you fold it twice, you get a 6.4-inch screen like regular smartphones. Huawei is now the biggest contender in the tri-folding segment, but Samsung may also join the race with a tri-fold version of its Galaxy Fold devices.
    • You can now measure internet speed and download videos using PowerToys Run by Taras Buria PowerToys Run is among my favorite modules, which I use daily (some of them should be integrated into Windows 11). This powerful utility is great for finding stuff, launching apps, navigating the web, and a lot more. Third-party modules help expand PowerToys Run's functionality and add additional capabilities like controlling Spotify, asking ChatGPT, and more. Now, there are three new modules you may find useful: speed test, video downloader, and vocabulary. The SpeedTest module uses Ookla Speedtest CLI for local execution without third-party tracking or ads. It has a modern, theme-aware user interface, and runs with a single command: just open Run and type spt to measure your internet connection speed. The result will show up in a new window with the ability to copy the result URL. The module also supports x64 and ARM systems. The VideoDownloader plugin lets you download videos from YouTube and other websites. You can specify the video quality and format (audio-only, for example) and select where to save the video. To make it work, open PowerToys Run, type dl and add a video URL. Finally, the Definition plugin from the same developer works as a powerful vocabulary that offers word definitions, word pronunciations, phonetics and synonyms, usage examples, and more. Note that these modules are not available in PowerToys out of the box. You need to download them from GitHub and install them manually. Here is how to do that: Download SpeedTest, VideoDownloader, or Definition plugins from their GitHub repositories. Extract downloaded plugins into %LOCALAPPDATA%\Microsoft\PowerToys\PowerToys Run\Plugins\ Open PowerToys Run (Alt + Space is the default shortcut) and launch plugins using their corresponding shortcuts (spt, dl, or def, all three can be customized in settings). You can also configure plugins in PowerToys Run settings. You can find more third-party modules for PowerToys Run on GitHub.
    • Showing people how to self host their own media is harmful, according to YouTube by David Uzondu YouTube has taken down a video from tech creator Jeff Geerling that demonstrated how to use LibreELEC, a lightweight operating system for turning devices into media centers, on a Raspberry Pi 5 for 4K video playback. The video, titled "I replaced my Apple TV—with a Raspberry Pi", originally published in May 2024, was removed in June 2025 under YouTube's "Harmful or dangerous content" policy. According to the violation notice, YouTube claimed the video showed "how to get unauthorized or free access to audio or audiovisual content, software, subscription services, or games that usually require payment." Image via Jeff Geerling Geerling strongly refuted YouTube's claims. He stated clearly, "I purposefully avoid demonstrating any of the tools that are popularly used to circumvent purchasing movie, TV, and other media content." He also emphasized that his own Network Attached Storage, or NAS, contains only legally acquired content. This isn't Geerling's first run-in with YouTube over self-hosted media tools. Last October, his tutorial titled "Better than Disney+: Jellyfin on my NAS" was hit with a similar strike for showing how to set up Jellyfin, an open source media server for organizing and streaming personal media. That strike was quickly overturned after an appeal. But this time, YouTube rejected his appeal, even though the LibreELEC video had been live for over a year, had racked up over half a million views, and contained no promotion of anything illegal. This whole thing feels a lot like what happened with youtube-dl. It's a simple command-line tool for downloading videos, used by tons of people for perfectly legal reasons like saving public domain content or backing up their own uploads. But that didn't stop the RIAA from hitting it with a DMCA takedown on GitHub, calling it a piracy tool. The community pushed back hard, and eventually it was brought back, thanks in part to support from groups like the Electronic Frontier Foundation who pointed out that not everything that can be misused is automatically bad. Side note, the youtube-dl project appears to be unmaintained (the last release was in 2021), if you're looking for an alternative, consider its very popular fork, yt-dlp. After the appeal was rejected, YouTube required Geerling to complete "policy training" to avoid a more serious, permanent strike on his channel. He eventually gave in and took the training. Anyways, if you're interested, he has uploaded the removed LibreELEC video to Internet Archive for anyone to watch.
    • Thanks to Herr Musk being a total poison pill, they can't even give those pieces of scrap away.  They can't even ship them to the UK/EU because they're completely illegal over here.  
  • Recent Achievements

    • Week One Done
      luxoxfurniture earned a badge
      Week One Done
    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      438
    2. 2
      +FloatingFatMan
      244
    3. 3
      snowy owl
      223
    4. 4
      ATLien_0
      212
    5. 5
      Xenon
      152
  • Tell a friend

    Love Neowin? Tell a friend!