Protecting my includes directory with htaccess. Any potential problems doing this?

Printable View

Feb 25, 2012, 08:37
BuddyH

Protecting my includes directory with htaccess. Any potential problems doing this?

I am developing a backend for my site and I have put all of my forms for doing sql queries in includes/forms
My index & edit pages e.t.c. require login using the following code:

PHP Code:

if(!$session->logged_in) { header('Location: login.php'); die; }

However, I can't put this code in my forms because it will throw an error for re-declaration, so I just put a .htaccess in the includes directory with deny from all.
So far, its doing exactly what I want, the forms include in my pages & everything works and if I use my browser to navigate to the includes/forms directory or any of the files inside it, I get a forbidden message. Great!

Is this a common way to protect such files, or might this lead to any problems that I haven't thought of?
Feb 25, 2012, 08:56
simpeligent

afaik: if you use user/pw on that folder, ppl will be asked to login - even if the including page is NOT protected..
if you simply do something like
*.php deny all, it "should" work..
but I speak from memory - not tested recently..

regards
simpeligent

Edited:
if you want to use your qoted code, you need to buffer the output

on top of page make ob_start()
on bottom ob_end()

afaik you can redirect between those cpmmands with header..
you can even start a session in between because no output-stream is opened until the ob_end() or ob_flush()
Feb 25, 2012, 09:05
BuddyH

Ok thanks, I'm not sure how to password protect the directory itself with php, I only know how to protect the file.

I used straight deny all with .htaccess, no access to anything in that folder and my pages still include the files ok. I just tried to remotely include the form and that doesn't work, so it seems pretty secure, but I guess maybe I should look up how to protect directories with the same login.
Feb 25, 2012, 09:19
simpeligent

no better not - for the include purpose, the password is the "no go"..
why it works with deny all and not with pw is that user/pw is I guess because it's a http action - after the output stream was opened - the "deny all" obviousely also applies to http-type access to this folder..
php-including happens - so to speak - on a layer above - so it is not affected by htaccess-rules
I guess we could say it that way: Apache reads the htaccess - not php!

the password user thing was just a problem I encountered once in the past, so I wanted to inform you about that possible problem

regards
Hensel
Feb 25, 2012, 10:11
BuddyH

Quote:

Originally Posted by simpeligent

I guess we could say it that way: Apache reads the htaccess - not php!

Ah ok, that's a new lesson for me!

Thanks for this Hensel :)