• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • LibreOffice 25.2.4 by Razvan Serea LibreOffice is the free power-packed Open Source personal productivity suite for Windows, Macintosh and Linux, that gives you six feature-rich applications for all your document production and data processing needs: Writer, Calc, Impress, Draw, Math and Base. Support and documentation is free from our large, dedicated community of users, contributors and developers. You, too, can also get involved! Choosing Between LibreOffice Still and LibreOffice Fresh: LibreOffice Still is a good choice if you value stability, a longer support cycle, and a more conservative approach to software updates. It's suitable for businesses and organizations where reliability and compatibility are crucial. LibreOffice Fresh is ideal if you're an enthusiast or an early adopter who wants to stay on the cutting edge of LibreOffice development and is willing to accept more frequent updates and occasional minor issues. Features: Writer is the word processor inside LibreOffice. Use it for everything, from dashing off a quick letter to producing an entire book with tables of contents, embedded illustrations, bibliographies and diagrams. The while-you-type auto-completion, auto-formatting and automatic spelling checking make difficult tasks easy (but are easy to disable if you prefer). Writer is powerful enough to tackle desktop publishing tasks such as creating multi-column newsletters and brochures. The only limit is your imagination. Calc tames your numbers and helps with difficult decisions when you're weighing the alternatives. Analyze your data with Calc and then use it to present your final output. Charts and analysis tools help bring transparency to your conclusions. A fully-integrated help system makes easier work of entering complex formulas. Add data from external databases such as SQL or Oracle, then sort and filter them to produce statistical analyses. Use the graphing functions to display large number of 2D and 3D graphics from 13 categories, including line, area, bar, pie, X-Y, and net - with the dozens of variations available, you're sure to find one that suits your project. Impress is the fastest and easiest way to create effective multimedia presentations. Stunning animation and sensational special effects help you convince your audience. Create presentations that look even more professional than the standard presentations you commonly see at work. Get your collegues' and bosses' attention by creating something a little bit different. Draw lets you build diagrams and sketches from scratch. A picture is worth a thousand words, so why not try something simple with box and line diagrams? Or else go further and easily build dynamic 3D illustrations and special effects. It's as simple or as powerful as you want it to be. Base is the database front-end of the LibreOffice suite. With Base, you can seamlessly integrate into your existing database structures. Based on imported and linked tables and queries from MySQL, PostgreSQL or Microsoft Access and many other data sources, you can build powerful databases containing forms, reports, views and queries. Full integration is possible with the in-built HSQL database. Math is a simple equation editor that lets you lay-out and display your mathematical, chemical, electrical or scientific equations quickly in standard written notation. Even the most-complex calculations can be understandable when displayed correctly. E=mc2. LibreOffice also comes configured with a PDF file creator, meaning you can distribute documents that you're sure can be opened and read by users of almost any computing device or operating system. LibreOffice also comes configured with a PDF file creator, meaning you can distribute documents that you're sure can be opened and read by users of almost any computing device or operating system. Download: LibreOffice 64-bit | LibreOffice 32-bit ~300.0 MB (Open Source) View: LibreOffice Website | Screenshot | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • I'm not sure why, but for some reason I think that if they are deciding to use the year for the version history they should use the whole year (i.e. iOS 2026).
    • Here's why it makes sense to name it iOS 26 and why it doesn't by Aditya Tiwari It has been almost 18 years since Apple launched the first version of its popular mobile operating system alongside the original iPhone. Recent reports and rumors circulating on the web suggest that the company is all set to unveil a major overhaul for iOS 19 at this year's WWDC keynote. There is something that baffled many when they found that the Cupertino giant is reportedly planning to rename iOS 19 to iOS 26. Yes, a company like Apple skipping eight versions for iOS is enough to leave users with a "why?" expression on their face. However, even if Apple pulls it off, there are two sides to the coin. Why it makes sense to call it iOS 26 There are several reasons why calling it iOS 26 instead of iOS 19 isn't as weird as it sounds. To begin with, it's something that has been done in the past. Samsung is a well-known example when we think about renaming device lineups and skipping version numbers. Samsung launched the Galaxy S20 series in 2020. But what was its predecessor? Galaxy S19? No, it was the Galaxy S10. The South Korean giant renamed its device lineup and aligned it with the year of launch, jumping ten versions in the process. So, someone viewing a Galaxy S23 can easily determine that the device was launched in 2023. It also gives them a feeling that they are using the 'latest and greatest' product. On the flip side, a device from the previous year may feel outdated, potentially motivating them to upgrade. Skipping version numbers isn't fun and games for everyone. Microsoft became the butt of jokes when it skipped Windows 9 and announced that Windows 8.1 will be upgraded to Windows 10 (that too in 2015). Windows 10 was thought to be "the last version of Windows", but things turned out differently. Apple's case would be a bit different, where the iOS version number is one year ahead. So, iOS 26 will release in 2025, iOS 27 in 2026, and so on. This approach is similar to how game companies like Electronic Arts name their gaming titles. Although it may seem off track, the naming scheme aligns with Apple's development schedule. The company typically announces new iOS versions at WWDC in June and rolls them out to the public in the fall season. After that, it continues to push incremental updates through the following year. In other words, a particular iOS version lives on your iPhone for a quarter of the launch year and about nine to ten months in the following year. Meanwhile, Samsung releases new Galaxy S devices at the start of the year, so it makes more sense to align their name with the current year. Not just iOS 26, reports said that Apple will streamline its confusing software naming system by renaming almost all of its operating systems to a single version. So, there will be iPadOS 26, macOS 26, tvOS 26, and watchOS 26 instead of iPadOS 19, macOS 16, tvOS 12, and so on. While the big move will make things easier for users, it will also highlight the work Apple has been doing to unify its software experience across devices. iOS and iPadOS have been related to each other from the beginning, but macOS gained ARM support in 2020 and began incorporating iOS-like UI elements. Apple has already developed a suite of Continuity features that enable different Apple devices to work together. macOS 14 Sonoma further bridged the gap between iPhone and Mac in 2023 with a revamped widgets picker UI, which allows access to and syncing with widgets stored on your iPhone. New widgets introduced in macOS 14 are interactive, similar to those on iPhone. They let you do stuff like checking off reminders, playing or pausing media, accessing smart home controls, and more. Apple's iOS 26/iOS 19 would be the second major naming shake-up in the history of iOS. The first one was when Apple renamed the operating system from iPhone OS to iOS in June 2010. iOS 26 is expected to be the biggest update in years, reportedly featuring a 'dramatic' glass-like UI overhaul, a revamped Camera app, live translation for AirPods, a new gaming app, and a new set of accessibility features. The glass-like design, first introduced on Apple's Vision Pro headset, is expected to make its way to tvOS and watchOS. Why doesn't it make sense to call it iOS 26 It already feels a bit awkward when you realize that the iPhone 16 runs iOS 18, for whatever reason, when the first iterations of both iPhone and iOS arrived in the same year. Adding eight more digits to the iOS version number will make it sound even weirder. The 19th generation of iPhone's operating system will be called iOS 26. Imagine buying an iPhone 17 later this year, and it runs iOS 26 out of the box. However, there are a couple of things Apple can do to tone down the awkwardness. Perhaps Apple can rename the iPhone series and start calling it iPhone 26 to match its software counterpart. A far-fetched and even more unlikely option is to drop version numbers from the iPhone's name entirely. Apple is already doing it for its tablets (iPad, iPad Pro, and iPad Air) and its Mac computers. Therefore, it won't be an issue once the users absorb the initial shock of the announcement. But we can't ignore that not having a version number tied to a product has its downsides. These are all speculations anyway. Whatever happens, Apple fans will get over it and learn to live with it, like they are living with the hopes of an upgraded Siri and AirPower to charge their Apple devices together.
    • I'd prefer the disclaimer being more transparent by putting it above the article.
    • dBpoweramp Music Converter 2025-06-05 by Razvan Serea Audio conversion perfected, effortlessly convert between formats. dBpoweramp contains a multitude of audio tools in one: CD Ripper, Music Converter, Batch Converter, ID Tag Editor and Windows audio shell enhancements. Preloaded with essential codecs (mp3, wave, FLAC, m4a, Apple Lossless, AIFF), additional codecs can be installed from [Codec Central], as well as Utility Codecs which perform actions on audio files. After 21 days the trial will end, reverting to dBpoweramp Free edition (learn the difference between Reference and dBpoweramp Free, here). dBpoweramp is compatible with Windows 10, 8, 7, Vista, both 32 and 64 bit. dBpoweramp Music Converter features: Convert audio files with elegant simplicity. mp3, mp4, m4a (iTunes / iPod), Windows Media Audio (WMA), Ogg Vorbis, AAC, Monkeys Audio, FLAC, Apple Lossless (ALAC) to name a few! Multi CPU Encoding Support Rip digitally record audio CDs (with CD Ripper) Batch Convert large numbers of files with 1 click Windows Integration popup info tips, audio properties, columns, edit ID-Tags DSP Effects such as Volume Normalize, or Graphic EQ [Power Pack Option] Command Line Encoding: invoke the encoder from the command line DSP Effects - process the audio with Volume Normalize, or Sample / Bit Rate Conversion, with over 30 effects dBpoweramp is a fully featured mp3 Converter dBpoweramp integrates into Windows Explorer, an mp3 converter that is as simple as right clicking on the source file >> Convert To. Popup info tips, Edit ID-Tags are all provided. dBpoweramp Music Converter 2025.06.05 changelog: Darkmode added Core Converter Debug log dumps ID Tags written VST Effect Folders dialog fixed missing InitCommonControls would not show correctly FLAC/Ogg/Opus/etc - allows editing of CDTOC ID Tag CD Ripper secure ripping log where shows TOC was not showing CD Extra correctly CD Ripper was incorrectly setting data track length on main display (for certain drives) CD Ripper internally better handling of corrupt TOCs CD TOC to Tag was incorrectly adding 150 to CD Extra disc CD Ripper shows "AccurateRip Unconfigured" in rip status rather than "not in accuraterip" if unconfigured CD Ripper art paste accepts https CueSheet added as standard - log file written to same folder as cue and folder.jpg AIFF internal code merge (macos >> windows) Download: dBpoweramp Music Converter R2025.06.05 | 82.2 MB (Shareware) View: dBpowerAMP Music Converter Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      255
    3. 3
      +FloatingFatMan
      252
    4. 4
      ATLien_0
      227
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!