SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2010
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protecting my includes directory with htaccess. Any potential problems doing this?

    I am developing a backend for my site and I have put all of my forms for doing sql queries in includes/forms
    My index & edit pages e.t.c. require login using the following code:
    PHP Code:
    if(!$session->logged_in)
          {   
              
    header('Location: login.php');
              die; 
          } 
    However, I can't put this code in my forms because it will throw an error for re-declaration, so I just put a .htaccess in the includes directory with deny from all.
    So far, its doing exactly what I want, the forms include in my pages & everything works and if I use my browser to navigate to the includes/forms directory or any of the files inside it, I get a forbidden message. Great!

    Is this a common way to protect such files, or might this lead to any problems that I haven't thought of?

  2. #2
    SitePoint Member
    Join Date
    Feb 2012
    Location
    Switzerland
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    afaik: if you use user/pw on that folder, ppl will be asked to login - even if the including page is NOT protected..
    if you simply do something like
    *.php deny all, it "should" work..
    but I speak from memory - not tested recently..

    regards
    simpeligent

    Edited:
    if you want to use your qoted code, you need to buffer the output

    on top of page make ob_start()
    on bottom ob_end()

    afaik you can redirect between those cpmmands with header..
    you can even start a session in between because no output-stream is opened until the ob_end() or ob_flush()

  3. #3
    SitePoint Enthusiast
    Join Date
    Oct 2010
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok thanks, I'm not sure how to password protect the directory itself with php, I only know how to protect the file.

    I used straight deny all with .htaccess, no access to anything in that folder and my pages still include the files ok. I just tried to remotely include the form and that doesn't work, so it seems pretty secure, but I guess maybe I should look up how to protect directories with the same login.

  4. #4
    SitePoint Member
    Join Date
    Feb 2012
    Location
    Switzerland
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    no better not - for the include purpose, the password is the "no go"..
    why it works with deny all and not with pw is that user/pw is I guess because it's a http action - after the output stream was opened - the "deny all" obviousely also applies to http-type access to this folder..
    php-including happens - so to speak - on a layer above - so it is not affected by htaccess-rules
    I guess we could say it that way: Apache reads the htaccess - not php!

    the password user thing was just a problem I encountered once in the past, so I wanted to inform you about that possible problem

    regards
    Hensel

  5. #5
    SitePoint Enthusiast
    Join Date
    Oct 2010
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by simpeligent View Post
    I guess we could say it that way: Apache reads the htaccess - not php!
    Ah ok, that's a new lesson for me!

    Thanks for this Hensel


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •