2

I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.

DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php -> Access Denied

BUT

[index.php] <form action="/subfolder/somefile.php"> ... </form> -> Success!

I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php. I tried

Order deny,allow Deny from all Allow from 127.0.0.1 Allow from somewebsite.com Satisfy Any

but the request from index.php is being denied. Can anyone help, please?

Improve this question

3 Answers 3

Reset to default
1

This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.

The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.

RewriteEngine On RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC] RewriteRule ^subfolder/ - [L,F]

where "example.com" is your site.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Sidenote Q: Using RewriteCond %{HTTP_REFERER} is more reliable than $_SERVER['HTTP_REFERER'] and can't be manipulated? As per stackoverflow.com/a/6023980
@Fred-ii- PHP's $_SERVER['HTTP_REFERER'] is populated by apache, and comes from the same place that stores the vale of the %{HTTP_REFERER} rewrite variable. They both come from the Referer: field of the HTTP request header. They're both the same.
It seems this doesn't work. The files in my subfolder are easily accessible by just typing somewebsite.com/subfolder/somefile.php.
As stated in the link in my comment above: "Using HTTP_REFERER isn't reliable, it's value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted." - so I'm just wondering whether that's the best solution. Yet, wondering if it makes a difference if it comes from .htaccess or from PHP script and whether one if more reliable than the other, the one being in .htaccess that is.
@Fred-ii- If you need to know where someone clicked on a link, without tracking everything on the server side with cookies or something, there is no other way. Likewise, there is no difference between using the rewrite condition's variable or the PHP variable because they both come from exactly the same place.
|
0 
RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php RewriteRule .*subfolder/somefile\.php - [NC,F]

The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php

Improve this answer

1 Comment

Not working. Blocked from URL and access via index.php.
0

In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:

<directory "DOCROOT/subfolder"> RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php RewriteRule ^/(.+)$ redirect.php [L] </directory>
Improve this answer

3 Comments

<Directory> containers are not allowed in a htaccess file, since an htaccess file is already a per-directory context.
Getting internal server error 500. And not sure if I'm understanding your answer correctly - your code blocks the access to any files except for index.php in the same subfoler, right?
Sorry, my mistake. You could put the above inside your virtual host configuration, or you could just take out the directory tags and put the contents into an .htaccess file inside DOCROOT/subfolder

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.