I'm looking for a way to tell Apache that if there is a request for a file from a certain directory it should first run a php script to verify if the user is logged in.
I know I could put the directory outside of the docroot and let a php script handle the authentication and file downloads, but because these are flash files that try to open other flash files it has to be a directory in the docroot, and the files should not have to be send by the php script.
In the old setup we were using mod_auth_script(http://sourceforge.net/projects/mod-auth-script/), but as that is a rather obscure apache module I'd rather have a more common solution if possible.
You can use .htaccess and mod_rewrite to redirect requests to php script. Try some googling and you will find lots of examples.
.htaccess contents example:
Options +FollowSymLinks
RewriteEngine on
RewriteRule ([0-9a-z-_]+)\.swf$ checkForAuth.php?&file=$1 [L]
This will call checkForAuth.php when someone will try to access *.swf file. In checkForAuth.php you need to check your session, read contents from $_GET['file'], set correct headers (content-type for flash) and output contents of requested SWF file.
Related
I'm very new to php and web , now I'm learning about oop in php and how to divide my program into classes each in .php file. before now all I know about php program, that I may have these files into my root folder
home.php
about.php
products.php
contact.php
So, whenever the client requests any of that in the browser
http://www.example.com/home.php
http://www.example.com/about.php
http://www.example.com/products.php
http://www.example.com/contact.php
No problem, the files will output the proper page to the client.
Now, I have a problem. I also have files like these in the root folder
class1.php
class2.php
resources/myFunctions.php
resources/otherFunctions.php
how to prevent the user from requesting these files by typing something like this in the browser ?
http://www.example.com/resources/myFunctions.php
The ways that I have been thinking of is by adding this line on top of every file of them exit;
Or, I know there is something called .htaccess that is an Apache configuration file that effect the way that the Apache works.
What do real life applications do to solve this problem ?
You would indeed use whatever server side configuration options are available to you.
Depending on how your hosting is set up you could either modify the include path for PHP (http://php.net/manual/en/ini.core.php#ini.include-path) or restricting the various documents/directories to specific hosts/subnets/no access in the Apache site configuration (https://httpd.apache.org/docs/2.4/howto/access.html).
If you are on shared hosting, this level of lock down isn't usually possible, so you are stuck with using the Apache rewrite rules using a combination of a easy to handle file naming convention (ie, classFoo.inc.php and classBar.inc.php), the .htaccess file and using the FilesMatch directive to block access to *.inc.php - http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess/
FWIW all else being equal the Apache foundation says it is better/more efficient to do it in server side config vs. using .htaccess IF that option is available to you.
A real-life application often uses a so-called public/ or webroot/ folder in the root of the project where all files to be requested over the web reside in.
This .htaccess file then forwards all HTTP requests to this folder with internal URL rewrites like the following:
RewriteRule ^$ webroot/ [L] # match either nothing (www.mydomain.com)
RewriteRule ^(.*)$ webroot/$1 [L] # or anything else (www.mydomain.com/home.php)
.htaccess uses regular expressions to match the request URI (everything in the URL after the hostname) and prepends that with webroot/, in this example.
www.mydomain.com/home.php becomes www.mydomain.com/webroot/home.php,
www.mydomain.com/folder/file.php becomes www.mydomain.com/webroot/folder/file.php
Note: this will not be visible in the url in the browser.
When configured properly, all files that are placed outside of this folder can not be accessed by a regular HTTP request. Your application however (your php scripts), can still access those private files, because PHP runs on your server, so it has filesystem access to those files.
I need to know if after creating the .htaccess file I have to call it within the index page, knowing that the main page is unique (only index.php) and all pages are taken from a database.
The web server that I use Apache.
The file with filename .htaccess is an extension to the webserver configuration (most commonly httpd.conf) that is loaded automatically by Apache when a file or script is loaded or executed in the directory, or any child-directories, where the .htaccess file is placed.
Furthermore, php scripts (or any scripts for that matter) have no knowledge at all of the existence of a .htaccess, nor should they care. They can be depended on configuration settings however, eg. any rewrite rules that pipe all incoming requests through a so-called front-controller (most commonly index.php), but they do not know of it's existence. Any configuration could also be placed somewhere else in the configuration tree.
For further info I'd advise you to read about Apache, or webservers in general, and learn how a common (http) request is fulfilled. It'll give you some understanding of what the .htaccess file exactly does, and does not, and how it is related, or unrelated, to any scripts.
You don't need to explicitly call the htaccess file from any of the php pages
htaccess rules will automatically apply to all the files and sub folders within the specific folder where htaccess file is placed
You cannot call the .htaccess file, it is an instruction set to the server on how to handle requests (amongst other things). You should place it in the root directory and Apache will look for it automatically when a request to the server is made for any webpage or other file.
You can also have a .htaccess flie in each folder (directory) to control requests specific to it.
I am on shared host and PHP is inatalled as CGI script and that is all the problem i am not able to find whether mod_rewrite if enable or not
Note: I don't have any root level access so i can't much do with Shell.
I have tried the following :
1) checked in phpinfo() where i came to know about that this is the wrong place to look for in PHP-CGI.
2) I have tried getting it from apache_get_modules which agi does not work in PHP-CGI :(
3) I have tried :
if (strpos(shell_exec('/usr/local/apache/bin/apachectl -l'), 'mod_rewrite') !== false) {
// mod_rewrite is enabled
}
which is asking for path to apache and i dont have this info SHELL cant reply to me and $_SERVER has nothing.
4) I have checked with RewriteEngine On in .htaccess and after this my site is throwing 500 Internal server error may be because of RewriteEngine is not there, but i need this is written to show someone.
Any body has any idea how to check get this DONE.
Thanks
With PHP CGI there is no easy way to find out whether mod_rewrite is available or not on the server.
So, you need to find out it by making a test call to the server. You can use the following steps for this method,
Create a directory named mod_rewrite_test on the server.
Add .htaccess file in this directory with the following code,
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /mod_rewrite_test
RewriteRule .* mod_rewrite_test.txt
</IfModule>
a. first line tells apache to execute the below code only if mod_rewrite is available,
b. second line enables rewrite engine,
c. third line sets rewrite base directory path which is from DOCUMENT_ROOT
d. forth line returns the content of mod_rewrite_test.txt file to any request sent to mod_rewrite_test directory.
Create a file named mod_rewrite_test.txt in the same directory. Write ok in this file and save it.
Now, using CURL in your php script, call the URL similar to,
http://www.your-domain.com/mod_rewrite_test/test.php
and check the response.
So, as per our .htaccess code, if mod_rewrite is active and working on the server,
it will return the content of mod_rewrite_test.txt file i.e. ok even though the test.php file does not exists.
Otherwise, it will return 404 - Page not found error.
To check if mod_rewrite module is enabaled, create a new php file in your root folder of your server. Enter the following
echo phpinfo();
And access file in your browser.
I have an idea that will allow a Web Forums Content/Threads to be better indexed by search engines but avoid taking up too much unnecessary space on the web server.
My idea is not unique(I think StackOverflow uses it) but I am having difficulty working out how I am going to achieve redirecting through .htaccess commands or main server configuration files.
For a web forum website; when a new thread is created:
I store the thread HTML in an SQL database(rather than creating a HTML file which I think will take up more server space - is that correct?).
I create a directory on the server where the directory's name is the threads name(this will allow for easier indexing from google & other search engines wont it? Because the url is more descriptive?). So www.myForum.com/posts/unique_thread_name/. I think this is how StackOverflow does this, if you look at the url of my question its a directory.
The new directory(thread directory) will be empty except for a .htaccess file which will redirect to a script www.myForum.com/cgi-bin/loadWebpage.py. This script will grab the thread's HTML from the database when accessed & display that thread.
So when someone accesses www.myForum.com/posts/unique_thread_name/, the .htaccess file will redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=unique_thread_name. Notice the arguments, is it possible for a .htaccess file to redirect to a script but pass arguments aswell?
My Questions:
The apache website says you should never use .htaccess files "In general, you should never use .htaccess files unless you don't have access to the main server configuration file.". If I am using a webhost like GoDaddy do I have access to this file or is this server config file only for VPS?
Is it better to do this with the Server Config file instead?
Is there a way easier way of doing this? The whole idea is to store Forum Threads that take up as little space as possible but are still easy for search engines to index(thus the unique directories created).
Do I NOT need to create a .htaccess file in each post directory? Can I just write in my main .htaccess file that any request to a file/folder in posts should redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=the directory they accessed?
Maybe the code would look something like this?
Redirect /posts/* www.myForum.com/cgi-bin/loadWebpage.py?thread="HOW DO I SPECIFY THE FOLDER?"
If I am using a webhost like GoDaddy do I have access to this file or is this server config file only for VPS?
Godaddy shared hosting only allows .htaccess use.
Is it better to do this with the Server Config file instead?
Its better performing if you have access to Server Config, but shared hosting like Godaddy does not allow it.
Do I NOT need to create a .htaccess file in each post directory? Can I just write in my main .htaccess file that any request to a file/folder in posts should redirect to www.myForum.com/cgi-bin/loadWebpage.py?thread=the directory they accessed?
You can do it with a single .htaccess in the root dir of your site with contents as below
RewriteEngine on
RewriteBase /
RewriteRule ^posts/(.+)/$ /cgi-bin/loadWebpage.py?thread=$1 [NC,L]
I have a JS file that has a path to another script. If I do not want to reveal my directory structure, what would be the best way to obscure it?
For example, can I add a rewrite rule in .htaccess file and use that in my JS file or is there a better way to do that?
Current JS file:
URL_PATH = '/incl/pro/dir/files/server.php';
// change to:
URL_PATH = '/dir/server.php';
Create a .htaccess file in your DOCUMENT_ROOT location with following content:
Options +FollowSymlinks -MultiViews
RewriteEngine on
RewriteRule ^dir/(.*)$ /incl/pro/dir/files/$1 [L,NC]
Rewrite rule will take care of forwarding your request of /dir/server.php to /incl/pro/dir/files/server.php internally.
Yes, this would be a good use of .htaccess files to obscure the actual locations of files.
I'm a bit confused by what you're trying to ask here.
A js file is executed on the client machine, not the server machine. So whatever paths you may put on a js script will never be executed on the client machine unless they happen to have that exact path.
A better alternative is to not include paths to a script. Instead have a ajax call to that script. You can't trust that whatever hitting that .php script is from a js file or from someone manually typing it in.
For example, if your site dir is at /incld/site/scripts/yourscript.php and in your js file, you can make an ajax using jQuery to GET the content of www.yoursite.com/scripts/yourscripts.php and parse out whatever you need or execute a script that is required.