Page 2 of 2
Posted: Fri Jan 16, 2004 8:36 pm
by redmonkey
Damn, beat me to it

Posted: Fri Jan 16, 2004 8:41 pm
by Gen-ik
@ redmonkey
The mod-rewrite code you posted previously...
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://your_domain.com/.*$ їNC]
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com/.*$ їNC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://your_server.com/bad.gif їR,L]
....could that be modified to do the same job as .htaccess? What I mean by that is can mod-rewrite be used to give folder/file access to PHP in the same way that I have got .htaccess to work?
It's not important now that .htaccess does work, but it would be pretty handy to know

Posted: Fri Jan 16, 2004 8:51 pm
by redmonkey
Yes,
The .htaccess file only come into play when you make an HTTP request, so using mod_rewrite will still allow access by using (standard file system type) include() etc.... mod_rewrite is far more powerful than the standard .htaccess directive and can be used for many things.
Posted: Fri Jan 16, 2004 8:53 pm
by ilovetoast
In a word, yes. It does require a bit more work than htaccess and there are some concerns (see link below).
mod_rewrite can do so many wonderful things. Check out
http://httpd.apache.org/docs/misc/rewriteguide.html for lots of examples.
peace
Posted: Fri Jan 16, 2004 9:17 pm
by Gen-ik
Aha.. that was pretty simple and also seems to work which is a bonus
I've dropped all of the .htaccess files for now and I'm using mod-write instead. The following mod-rewrite code will only allow access to the folder and files if the REQUEST_FILENAME contains "getfile.php" otherwise the user gets kicked to a "You're not allowed here" page.
Code: Select all
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !getfile.php(.*)$
RewriteRule (.*) /500.php їL]
As long as no-one discoves what the target file is (in this case getfile.php) then they won't be able to get to any of the files. I will use getfile.php to stream/load/redirect to any of the files depending on info info I send to it.
Does anyone see any possible "backdoors" which this method?
Posted: Sat Jan 17, 2004 8:12 am
by redmonkey
I'm not sure I follow, if you use getfile.php then, is this a link? if so then surely everybody will be able to see that the way in is through using getfile.php. I may be picking you up wrong though.
I am assuming that getfile.php reads the contents of the file then spits it out? If so, I would stick to standard .htacces directives e.g. the first piece of code I posted and then place getfile.php in another directory.
I don't see any real point to invoking the rewrite engine in this scenario.
That being said, I may have misunderstood what your are trying to accomplish, so perhaps more detail is required.
Posted: Sat Jan 17, 2004 8:20 am
by Gen-ik
The getfile.php file which is in the 'locked' folder will only be used by PHP, it won't be used as a visible link on the website.
For example I might use something like readfile("folder/getfile.php?file=bla") in order to read files from the 'locked' folder into PHP.
As long as no-one knows the name of the accessible file in the folder (I'm using getfile.php as an example) then they won't be able to access the folder and/or files.
Posted: Sat Jan 17, 2004 10:58 am
by redmonkey
Can you not just use readfile('folder/bla') from within the script instead of calling a second script?
I'm not entirely sure as I have not used readfile() in the way you have shown above but I don't think you can pass in arguments like that. As I understand it, in order to do it the way you are you have to use fopen() first to specify a URL style file opening.
Posted: Sat Jan 17, 2004 11:10 am
by Gen-ik
Hmmm. good point. Looks like I might be going back to using .htaccess instead of mod-rewrite
