PHP-only Folders

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

PHP-only Folders

Post by Gen-ik »

I know I should know this... but I've forgotten... or didn't know in the first place :?

Let's say I have a folder on my server called Stuff which contained a load of files (images/audio/applications) and I wanted Stuff to be secure enough to stop Joe Public from either (a) accessing the folder and (b) directly linking to any files in the folder.... but allowed PHP to access the folder and files for either streaming or downloading purposes.... how would I do it?

As an example this website page loads an image from a folder... but if you try to access the folder manually you are denied access...
The website page.... http://www.propellerheads.se/
The images (which can be linked to directly but I don't want this to be possible).... http://www.propellerheads.se/img/propellerhead.gif
The folder (denies you access)... http://www.propellerheads.se/img/

Any help would be great :)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Dependant on your web server config and what level of acces you are trying to achieve, you could possibly just use an .htaccess file within the directory to accomplish this.

for example if you placed an .htaccess file contain the following....

Code: Select all

<Limit>
order deny,allow
deny from all
</Limit>
Then any http requests in that directory would be denied, but you could still use PHP's include() etc functions to get files from there.

If your running an Apache server with mod rewrite then you could include something like....

Code: Select all

RewriteEngine on
RewriteCond %&#123;HTTP_REFERER&#125; !^$
RewriteCond %&#123;HTTP_REFERER&#125; !^http://your_domain.com/.*$     &#1111;NC]
RewriteCond %&#123;HTTP_REFERER&#125; !^http://www.your_domain.com/.*$ &#1111;NC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://your_server.com/bad.gif &#1111;R,L]
That piece of code would prevent anyone accessing .gif and .jpg files from that directory unless the request has come from a http://your_domain.com further more if a bad request does come then apache will return the bad.gif regardless of what file was requested.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Hmm cool. I could use either of those on my server so I guess it's down to which one would be more effective.

For example the mod-rewrite sounds good, but if someone was already on the website wouldn't they still be able to access the folder and/or files as the request would be from your_domain.com (etc).

With that in mind the .htaccess method sounds like the best bet to me so I will give it a try and see what happens ;)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Gen-ik wrote: For example the mod-rewrite sounds good, but if someone was already on the website wouldn't they still be able to access the folder and/or files as the request would be from your_domain.com (etc).
Yes, the idea behind that code is that when a user comes to your site they would be able to see all your images requested from that directory as the refferer would be your site, however if they decide your images are quite cool and want to directly link to them from their own site all they would get on their site would be the bad.gif
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

OK the .htaccess appears to be working. Like you said PHP can still include() and require() files from the folder but trying to access the folder and files directly results in this error....

Code: Select all

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, &#1111;no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.
...which is good I guess.

Just one more question, is it possible to display another page or message instead of the error page? I can't acess the php.ini file (I'm on a shared server) but don't worry if it's not possible.

Thanks for the help.
User avatar
dull1554
Forum Regular
Posts: 680
Joined: Sat Nov 22, 2003 11:26 am
Location: 42:21:35.359N, 76:02:20.688W

Post by dull1554 »

even if you could access the php.ini, i think this error message is auto generatored so i dont think theres a damn thing you can do anout it.....
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

In theory you can override any error page page you like by adding something like...

Code: Select all

ErrorDocument 404 /errordocs/notfound.html
ErrorDocument 500 /errordocs/internalerror.html
The leading slash shows that the path is from the root of your webserver.

The only problem being, I have not managed to work out how to override the default error page for a 500 status code which is what is being returned. Whenever I have had to do this kind of thing and required a more elegant response, I've just used mod_rewrite rules to accomplish custom pages for bad requests. At the end of the day the only time a user will see that page is if they try to access the directory directly which means they are deliberately trying to get into that directory so personally I don't care what my server returns as long as it's not the contents of the directory or a file within.
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

I've just had a look at that link (and followed on into 'Using .htaccess Files with Apache' link) but it doesn't seem to make any mention of overriding the default error 500 page? (unless I missed it)
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

http://httpd.apache.org/docs/custom-error.html for custom error pages with apache. htaccess stuff via prevs link.

peace
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Thanks mate. I'll check it out.

PS. I love toast too ;)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Thanks,

Although the methods described are the same as I have tried previously but as I said I have not had any luck, perhaps it has to do with the fact that there is also a deny all in the file too?
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

There shouldn't be a problem with the error 500 replacement so long as the error doc replacement isn't in the .htaccess forbidden directory.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Cheers lads it's working fine.

I found that I had to create a new .htaccess file and place it in the root directory (as well as having the other .htaccess in the 'locked' folder).

Code: Select all

ErrorDocument 500 /500.php
That's all I needed in the new .htaccess file. It redirects the user (a bit like mod-rewrite does) to 500.php and also gives me a load of new _SERVER vars to play with so I can check out where the user has been redirected from.

All very helpful.

Thanks again :)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

All the docs I've read also suggest the same thing, but any time I have tried I've had no luck, it has never really bothered me that much as I said I just stick to mod_rewrite. I've always just clocked it up as one of those little things I'll get round to looking at in more detail when I'm stuck for something to do.

However, it has annoyed me now tonight, and amazingly I got it to work. I have discovered that while it doesn't work within an .htaccess file with the deny all, if I place the errordocument directive in a higher level directory then all works as intended. :)
Post Reply