• 0

PHP to bypass .htaccess


Question

Hey guys, I've got a question...

I'm currently working on a site for a client that's done in PHP and MySQL. There is a support area that they need that will include files and documentation. Here's the deal:

Their files need to be protected. The support area will have a login prompt so that only customers can get into it. The thing is, I can easily protect the links to the files and documentation, obviously. What I want to do is protect the actual files that will be held in a different directory. They need to be protected with .htaccess so that no links can just be handed out to other people. I need to make it so that if the customer has already logged into the support area through the PHP script, they don't see any htaccess login prompt when they go to download the files.

So, is there any way that I can have PHP bypass the htaccess login?

Please help me ASAP... I need to finish this job up soon.

Thanks everybody!

Link to comment
https://www.neowin.net/forum/topic/280438-php-to-bypass-htaccess/
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I have an idea, no clue if it would work, I'm not that great with any web stuff.

Why not just use a php file that just opens the file in the protected directory, but only if they are authorized. That way, you wouldn't even need to put anyone in the .htaccess file?

  • 0

The thing is, if you have a directory protected with .htaccess, then any links that send somebody to a file inside that directory will pull up the login prompt.

I don't want to use .htaccess to authenticate people, only to keep them out if they're not already logged in through my PHP script.

So, you're saying exactly what I want to do, but .htaccess will still cause a problem :/

I'm looking for something in PHP that will suppress the .htaccess login window.

  • 0

Ahhh.... true, I could do that.

How would I go about sending the user a file that's not in a public directory? Keep in mind, I believe some of these files are over 100MB.

Edited by fubarshibby
  • 0

Look, what you can do is redirect any queries to any file or directory in your folder to be redirected to your PHP-authentication file. From there you may access any file and output it as you like. (You even may link the user to the actual file, and have php run first, then look for the requested file and output it transparently for the user).

Now you need to know what to write into the .htaccess... I don't know much about apache syntax, but i think this may work:

RewriteEngine on
RewriteRule abs/patch/to/the/files/(.*) abs/path/to/the/script/yourScript.php?request=$1

I'm not completely sure this will work well... test around and take a look at this

Well you see it passes the name of the file to the 'request' get-parameter of your php scipt (which might be located anywhere else, not necesarily the same folder, this way you'd avoid that they pointed to your script inside the files folder ;)).

Well, try it and play around with the Apache commands.

  • 0

How would I output it to the user though? Would readfile() be feasible? Or would the htaccess file allow me to do a header() command and change the location without redirecting to the same script?

Thanks for all the help so far.

  • 0

Oh, that's easy.

header('Content-Disposition: attachment; filename="'.$filename."');
readfile('path/to/the/files/'.$filename);

You may have made some cheks to see if the file exists before, for security's sake. Maybe there's some urldecode() to do to the passed parameter, but I doubt that.

Edit: I recall there was a way to load anything BEFORE the actual file was loaded, this would be great to authenticate first and, depending on the results, send 403 headers or allow the file to be sent, but I can't seem to find it atm.

Edited by KeyStorm
  • 0

I can't see why, tbh. Maybe the process time limit may cut the data flow, but the best way to know... is to test it ;)

You may create a random crap sring and echo it to the browser as attachment. In the worst case there is a command in htaccess to change the time limit anyway for current call, so you may use that.

  • 0

Problem :(

The server that my client is hosted on doesn't seem to allow the RewriteEngine... I've used it before for a different site, so I know I'm not doing anything wrong. I also found out through the hosting provider's support pages that you can't even do your own .htaccess protection; you have to email them to get it protected.

Well, their current site's files aren't protected in any way, I just figured it would be better if I did this for them. I guess I just won't give direct links; I'll simply use the header command. I don't think their clients are going to be trying to gain access without permission because AFAIK my client hasn't had any problems yet.

  • 0

Now I feel really stupid: I just realized that they're on an IIS server and that's why there's no .htaccess :blush:

The funny thing is, I knew this, but I'd never really thought about it, you know?

Well I found out a way to get through it though; they have some software called iisProtect on there, which is what I wanted to get away from... But I figured out a way for it to work nicely with my PHP pages. So it's all good now.

Thanks for you help!

  • 0

Just so you know if there running iis6 instead of .htaccess use web.xml :) it does the same thing but on iis. Atm its not as rich as apache, but it has all the major and most used function capability. (iis7 says it will be just as rich as .htaccess)

I was about to say, if it was on apache php can control the authentication box, I cant remeber the code *damn* anyway cant be done on iis atm.

  • 0

why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

  • 0
  j79zlr said:
why not use php to protect the info, have a form input and validate a password

<?php
$password = $_POST['password'];
$valid_pw = array('valid', 'passwords', 'in', 'this', 'array');  // you could do this with MySQL, or with just one password
if (in_array($password, $valid_ps)) {
 // the code for valid users here
}
else {
echo "Not authorized";
}
?>

585414562[/snapback]

I/They don't want the directories available to the public. Currently they're protected, using IISProtect software that they've got.

I just decided to go ahead and keep it, since it works just like .htaccess except it's got an entire administration area to have users, groups, access levels, etc... I just wanted to see if there was a way to do it myself.

  • 0

Nah, I've got it all covered. Besides, this way my client won't have to learn a new way of adding/deleting users and groups and everything. They'll be able to be comfortable with what they've got.

In any case, they're not paying me enough to have me try and create a whole new way to secure that area of the site. ;) Especially since it'll be fine the way it is.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Google Chrome 137.0.7151.69 (offline installer) by Razvan Serea The web browser is arguably the most important piece of software on your computer. You spend much of your time online inside a browser: when you search, chat, email, shop, bank, read the news, and watch videos online, you often do all this using a browser. Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. Use one box for everything--type in the address bar and get suggestions for both search and Web pages. Thumbnails of your top sites let you access your favorite pages instantly with lightning speed from any new tab. Desktop shortcuts allow you to launch your favorite Web apps straight from your desktop. Chrome has many useful features built in, including automatic full-page translation and access to thousands of apps, extensions, and themes from the Chrome Web Store. Google Chrome is one of the best solutions for Internet browsing giving you high level of security, speed and great features. Important to know! The offline installer links do not include the automatic update feature. Google Chrome 137.0.7151.69 changelog: [N/A][420636529] High CVE-2025-5419: Out of bounds read and write in V8. Reported by Clement Lecigne and Benoît Sevens of Google Threat Analysis Group on 2025-05-27. This issue was mitigated on 2025-05-28 by a configuration change pushed out to Stable across all Chrome platforms. [$1000][409059706] Medium CVE-2025-5068: Use after free in Blink. Reported by Walkman on 2025-04-07 Google is aware that an exploit for CVE-2025-5419 exists in the wild. Download web installer: Google Chrome Web 32-bit | Google Chrome 64-bit | Freeware Download: Google Chrome Offline Installer 64-bit | 128.0 MB Download: Google Chrome Offline Installer 32-bit | 115.0 MB Download page: Google Chrome Portable Download: Google Chrome MSI Installers for Windows (automatic update) View: Chrome Website | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Last night I watched "I, Robot" movie: https://www.youtube.com/watch?v=7Dlo-VB0-HI The day they put AI into Robots is our END... I really scare from that day!!
    • This site is just old men ranting at clouds. Neowin knows its audience.
    • That's nice and all. but I generally just stick with Lutris paired with 'ge-proton' (which gets updated fairly often (June 1st was last update) as the 'ge-proton' entry in Lutris uses stuff here... https://github.com/GloriousEggroll/proton-ge-custom/releases ) and the like to play my games. p.s. if a person wants to stick with a specific version from that link you can download a specific version and extract it to "~/.local/share/lutris/runners/proton/". then select it in Lutris options on game shortcut is the basic idea. because by default the standard 'ge-proton' entry will automatically get updated which can occasionally cause issues even though it's usually fine. but manually setting it on a specific version will prevent the standard updates on 'ge-proton' from messing with it on a particular game you may have issues with if that gets updated etc. one good example of the 'ge-proton' updates messing with a game in particular is the offline version of RDR2 1491.50 as I setup a specific version there and after removing the 'vulkan-1 (native)' entry in 'Wine configuration' on 'RDR2.exe' entry (if you don't remove this the game won't start up) is when the 'ge-proton' updates, it will restore that 'vulkan-1 (native)' entry and prevent the game from working. you can always remove the entry on the RDR2.exe in Wine configuration specifically after updates, but doing that everytime that updates will get old quickly. hence, keeping it on a specific GE Proton version stops me from having to mess with it as then you just adjust it once and you are done with it. also, when using 'bat' files to start a game (like Hitman: WoA for example using Peacock etc) I had some issues with GE Proton after '9-27', so I got the game locked to '9-27' (April 1st) instead of the newer ones (10-1 etc).
    • Sam Altman says AI could soon help with discovering new knowledge by Hamid Ganji OpenAI is currently at the forefront of developing powerful AI models, while its ChatGPT product is rewriting our traditional way of looking for new information. The company's CEO, Sam Altman, now says AI could even help humans discover new knowledge. He also described AI agents as junior employees. Speaking at the Snowflake Summit 2025, Altman boasted that AI agents can act like junior employees, saying, "You hear people that talk about their job now is to assign work to a bunch of agents, look at the quality, figure out how it fits together, give feedback, and it sounds a lot like how they work with a team of still relatively junior employees." OpenAI CEO also added AI agents could help humans discover new knowledge in "limited cases" or "figure out solutions to business problems that are kind of very non-trivial." While the use of AI for scientific discovery is still viewed with skepticism, the technology has proven its capabilities for new discoveries in several cases. For example, the Microsoft Discovery platform, designed for accelerating scientific research and development by AI agents, was recently able to discover a new chemical for cooling data centers in just 200 hours, a process that normally takes years to research and complete by humans. AI firms are also shifting their focus toward developing AI agents capable of performing various tasks. OpenAI recently unveiled Codex, which contains AI agents for helping programmers write and debug code. According to Altman, OpenAI engineers are already using Codex. As AI agents become more intelligent, more employees should be concerned about losing their jobs. Companies have already started replacing some specific roles with AI. For example, Duolingo has replaced its contract workers with AI, while Shopify managers need to provide reasons why AI cannot handle a job before seeking approval for new hires. Via: Business Insider
  • Recent Achievements

    • First Post
      nothin earned a badge
      First Post
    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      188
    2. 2
      snowy owl
      134
    3. 3
      ATLien_0
      130
    4. 4
      Xenon
      119
    5. 5
      +FloatingFatMan
      97
  • Tell a friend

    Love Neowin? Tell a friend!