• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Amazon lays off more staff across Goodreads and Kindle divisions by Hamid Ganji Dozens of Amazon employees working on the retailer's book divisions have been laid off. As reported by Reuters, Amazon confirmed that it's cutting jobs across the Goodreads review site and Kindle units, which impacts fewer than 100 workers. Amazon says the recent layoffs across Goodreads and Kindle divisions are meant to improve efficiency and streamline operations. The giant retailer has constantly reduced staff across various divisions over the past few years. According to CEO Andy Jassy, reducing headcounts helps the company to eliminate bureaucracy. "As part of our ongoing work to make our teams and programs operate more efficiently and to better align with our business roadmap, we've made the difficult decision to eliminate a small number of roles within the Books organization," an Amazon spokesperson said. Layoffs recently impacted employees in Amazon's Wondery podcast division, devices and services units, communications, and in-store staff. However, Amazon's Q1 results show the retailer has added about 4,000 jobs compared to Q4 2024. After the Covid pandemic settled down, many companies began laying off thousands of staff they hired during the pandemic to respond to growing demands. The layoff trend among tech firms still exists today, and AI has amplified it. The latest data shows that in 2025, about 62,832 tech employees were laid off across 141 tech companies. Also, 152,922 tech employees across 551 companies were laid off in 2024. More layoffs are expected to occur due to declining economic growth, tariffs, and the expansion of AI across companies. Amazon is also gearing up to double down in AI investments and robotics. The company has recently announced the forming of a new agentic AI team to develop an agentic AI framework for use in robotics. Also, a new report by The Information indicates that Amazon has begun testing humanoid robots for package delivery.
    • Major Privacy 0.98.1.1 Beta by Razvan Serea MajorPrivacy is a cutting-edge privacy and security tool for Windows, offering unparalleled control over process behavior, file access, and network communication. It is a continuation of the PrivateWin10 project. By leveraging advanced kernel-level protections, MajorPrivacy creates a secure environment where user data and system integrity are fully safeguarded. Unlike traditional tools, MajorPrivacy introduces innovative protection methods that ensure mounted encrypted volumes are only accessible by authorized applications, making it the first and only encryption solution of its kind. MajorPrivacy – Ultimate Privacy & Security for Windows key features Process Protection – Isolate processes to block interference from unauthorized apps, even with admin privileges. Software Restriction – Block unwanted apps and DLLs to ensure only trusted software runs. Revolutionary Encrypted Volumes Secure Storage – Create encrypted disk images for sensitive data. Exclusive Access – Unlike traditional tools, only authorized apps can access mounted volumes—blocking all unauthorized processes. File & Folder Protection – Lock down sensitive files and prevent unauthorized access or modifications. Advanced Network Firewall – Control which apps can send or receive data online. DNS Monitoring & Filtering – Track domain access and block unwanted sites (Pi-hole compatible filtering coming soon). Tweak Engine – Disable telemetry, cloud integration, and invasive Windows features for better privacy. Why MajorPrivacy? Kernel-Level Security – Protects at the deepest system level. Unmatched Encryption Protection – Keeps mounted volumes safe from all unauthorized access. Full System Control – Block, isolate, or restrict processes as needed. Enhanced Privacy – Stops Windows & apps from collecting unnecessary data. Perfect for privacy-conscious users, IT pros, and anyone who wants total system control. Major Privacy 0.98.1.1 Beta changelog: The 0.98.1 release of MajorPrivacy introduces significant enhancements and a number of critical fixes aimed at improving usability, localization, and system integration. A major new feature is the introduction of full translation support, allowing the application interface and tweaks to be localized into multiple languages. Initial translations include AI-assisted German and Polish versions, a community-contributed Turkish translation, and Simplified Chinese. Users interested in contributing translations or adding new languages are encouraged to participate via the forum. This version also improves compatibility and deployment by bundling the Microsoft Visual C++ Redistributable with the installer, which is required for the ImDisk user interface. Several important bugs have been resolved. The installer now correctly removes the driver during uninstallation. Tweak definitions have been cleaned up for better consistency. A number of networking issues were addressed, including failures related to network shares and incorrect handling of mapped drive letters. It is now required to use full UNC paths for defining rules involving shared resources. Additionally, configuration persistence issues on system shutdown have been fixed, as well as problems affecting protected folder visibility and rule precedence involving enclave conditions. Finally, the underlying driver code has been refactored, laying the groundwork for better maintainability and future enhancements. MajorPrivacy-v0.98.1.1.exe (0.98.1a) hotfix for #71 Download: Major Privacy 0.98.1.1 Beta | 47.4 MB (Open Source) View: MajorPrivacy Home Page | Github Project page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • OpenAI responds to The New York Times' ChatGPT data demands by Pradeep Viswanathan The New York Times has sued OpenAI for the unauthorized use of its news articles to train large language models. As part of the ongoing lawsuit, the NYT recently asked the court to require OpenAI to retain all ChatGPT user content indefinitely. The NYT's argument is that they may find something in the data that supports their case. Brad Lightcap, COO of OpenAI, wrote the following regarding the NYT's sweeping demand: OpenAI has already filed a motion asking the Magistrate Judge to reconsider the preservation order, since indefinite retention of user data breaches industry norms and its own policies. Additionally, OpenAI has also appealed this order with the District Court Judge. Until OpenAI wins its appeal, it will be complying with the court order. The content defined by the court order will be stored separately in a secure system and will be accessed or used only for meeting legal obligations. Only a small, audited OpenAI legal and security team will be able to access this data as necessary to comply with our legal obligations. As of early 2025, ChatGPT has over 400 million weekly active users, and this data retention order will affect a significant number of them. OpenAI confirmed that ChatGPT Free, Plus, Pro, and Teams subscription users, and developers who use the OpenAI API (without a Zero Data Retention agreement) will be affected by this order. ChatGPT Enterprise, ChatGPT Edu, and API customers who are using Zero Data Retention endpoints will not be affected by this court change.
  • Recent Achievements

    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
    • Week One Done
      CHUNWEI earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      428
    2. 2
      +FloatingFatMan
      239
    3. 3
      snowy owl
      211
    4. 4
      ATLien_0
      211
    5. 5
      Xenon
      157
  • Tell a friend

    Love Neowin? Tell a friend!