PHP-only Folders

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Damn, beat me to it :)
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

@ redmonkey

The mod-rewrite code you posted previously...

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://your_domain.com/.*$     їNC]
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com/.*$ їNC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://your_server.com/bad.gif їR,L]
....could that be modified to do the same job as .htaccess? What I mean by that is can mod-rewrite be used to give folder/file access to PHP in the same way that I have got .htaccess to work?

It's not important now that .htaccess does work, but it would be pretty handy to know :)
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Yes,

The .htaccess file only come into play when you make an HTTP request, so using mod_rewrite will still allow access by using (standard file system type) include() etc.... mod_rewrite is far more powerful than the standard .htaccess directive and can be used for many things.
ilovetoast
Forum Contributor
Posts: 142
Joined: Thu Jan 15, 2004 7:34 pm

Post by ilovetoast »

In a word, yes. It does require a bit more work than htaccess and there are some concerns (see link below).

mod_rewrite can do so many wonderful things. Check out http://httpd.apache.org/docs/misc/rewriteguide.html for lots of examples.

peace
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Aha.. that was pretty simple and also seems to work which is a bonus :)

I've dropped all of the .htaccess files for now and I'm using mod-write instead. The following mod-rewrite code will only allow access to the folder and files if the REQUEST_FILENAME contains "getfile.php" otherwise the user gets kicked to a "You're not allowed here" page.

Code: Select all

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !getfile.php(.*)$
RewriteRule (.*) /500.php їL]
As long as no-one discoves what the target file is (in this case getfile.php) then they won't be able to get to any of the files. I will use getfile.php to stream/load/redirect to any of the files depending on info info I send to it.

Does anyone see any possible "backdoors" which this method?
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

I'm not sure I follow, if you use getfile.php then, is this a link? if so then surely everybody will be able to see that the way in is through using getfile.php. I may be picking you up wrong though.

I am assuming that getfile.php reads the contents of the file then spits it out? If so, I would stick to standard .htacces directives e.g. the first piece of code I posted and then place getfile.php in another directory.

I don't see any real point to invoking the rewrite engine in this scenario.

That being said, I may have misunderstood what your are trying to accomplish, so perhaps more detail is required.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

The getfile.php file which is in the 'locked' folder will only be used by PHP, it won't be used as a visible link on the website.

For example I might use something like readfile("folder/getfile.php?file=bla") in order to read files from the 'locked' folder into PHP.

As long as no-one knows the name of the accessible file in the folder (I'm using getfile.php as an example) then they won't be able to access the folder and/or files.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Can you not just use readfile('folder/bla') from within the script instead of calling a second script?

I'm not entirely sure as I have not used readfile() in the way you have shown above but I don't think you can pass in arguments like that. As I understand it, in order to do it the way you are you have to use fopen() first to specify a URL style file opening.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Hmmm. good point. Looks like I might be going back to using .htaccess instead of mod-rewrite :)
Post Reply