PHP-only Folders
Moderator: General Moderators
@ redmonkey
The mod-rewrite code you posted previously...
....could that be modified to do the same job as .htaccess? What I mean by that is can mod-rewrite be used to give folder/file access to PHP in the same way that I have got .htaccess to work?
It's not important now that .htaccess does work, but it would be pretty handy to know
The mod-rewrite code you posted previously...
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://your_domain.com/.*$ їNC]
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com/.*$ їNC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://your_server.com/bad.gif їR,L]It's not important now that .htaccess does work, but it would be pretty handy to know
-
ilovetoast
- Forum Contributor
- Posts: 142
- Joined: Thu Jan 15, 2004 7:34 pm
In a word, yes. It does require a bit more work than htaccess and there are some concerns (see link below).
mod_rewrite can do so many wonderful things. Check out http://httpd.apache.org/docs/misc/rewriteguide.html for lots of examples.
peace
mod_rewrite can do so many wonderful things. Check out http://httpd.apache.org/docs/misc/rewriteguide.html for lots of examples.
peace
Aha.. that was pretty simple and also seems to work which is a bonus 
I've dropped all of the .htaccess files for now and I'm using mod-write instead. The following mod-rewrite code will only allow access to the folder and files if the REQUEST_FILENAME contains "getfile.php" otherwise the user gets kicked to a "You're not allowed here" page.
As long as no-one discoves what the target file is (in this case getfile.php) then they won't be able to get to any of the files. I will use getfile.php to stream/load/redirect to any of the files depending on info info I send to it.
Does anyone see any possible "backdoors" which this method?
I've dropped all of the .htaccess files for now and I'm using mod-write instead. The following mod-rewrite code will only allow access to the folder and files if the REQUEST_FILENAME contains "getfile.php" otherwise the user gets kicked to a "You're not allowed here" page.
Code: Select all
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !getfile.php(.*)$
RewriteRule (.*) /500.php їL]Does anyone see any possible "backdoors" which this method?
I'm not sure I follow, if you use getfile.php then, is this a link? if so then surely everybody will be able to see that the way in is through using getfile.php. I may be picking you up wrong though.
I am assuming that getfile.php reads the contents of the file then spits it out? If so, I would stick to standard .htacces directives e.g. the first piece of code I posted and then place getfile.php in another directory.
I don't see any real point to invoking the rewrite engine in this scenario.
That being said, I may have misunderstood what your are trying to accomplish, so perhaps more detail is required.
I am assuming that getfile.php reads the contents of the file then spits it out? If so, I would stick to standard .htacces directives e.g. the first piece of code I posted and then place getfile.php in another directory.
I don't see any real point to invoking the rewrite engine in this scenario.
That being said, I may have misunderstood what your are trying to accomplish, so perhaps more detail is required.
The getfile.php file which is in the 'locked' folder will only be used by PHP, it won't be used as a visible link on the website.
For example I might use something like readfile("folder/getfile.php?file=bla") in order to read files from the 'locked' folder into PHP.
As long as no-one knows the name of the accessible file in the folder (I'm using getfile.php as an example) then they won't be able to access the folder and/or files.
For example I might use something like readfile("folder/getfile.php?file=bla") in order to read files from the 'locked' folder into PHP.
As long as no-one knows the name of the accessible file in the folder (I'm using getfile.php as an example) then they won't be able to access the folder and/or files.
Can you not just use readfile('folder/bla') from within the script instead of calling a second script?
I'm not entirely sure as I have not used readfile() in the way you have shown above but I don't think you can pass in arguments like that. As I understand it, in order to do it the way you are you have to use fopen() first to specify a URL style file opening.
I'm not entirely sure as I have not used readfile() in the way you have shown above but I don't think you can pass in arguments like that. As I understand it, in order to do it the way you are you have to use fopen() first to specify a URL style file opening.