Use .htaccess to protect data diles

[sen5241b]

Yes, I have spent hours reading about this file (really!) and almost all forums describe .htaccess syntax in endless detail but I've found none that give a good conceptual description on the security process behind .htaccess --especially with respect to who is accessing the file.

My website visitors (no logins) run a php script that accesses a textual data file. I don't want anonymous web visitors viewing the data file directly in their browser but they do need access to the data file through the script. I'd experiment more than I already have but I don't want to lock myself out of a directory!

 

[sen5241b]

Based on everything I've read and tried you can't do it. You can deny a directory listing, you can completely deny access to the files in a directory based on many things like IP, user etc. and you can allow access too.

... but you cannot both allow a web visitor to access an image or data file through html and php and simultaneously deny them direct access to that same file through a browser. For individual files, .htaccess allows access or it doesn't. Web visitors can do a "view source" to see the image or data file and then just type the URL to it.

 

[bezking]

I could have SWORN I just saw something that did JUST THAT. But I can't seem to find it. I will keep looking.

 

[bezking]

Maybe you could use something like:

<Files YOUR-FILE-NAME-HERE>
allow from 127.0.0.1
</Files>

on the datafile. This will allow local services (PHP) to access your file, but not the clients. Also don't be afraid to experiment. If you screw the htaccess, you can always remove it via FTP. NO htaccess can prevent FTP transactions.

 

[bezking]

Whoops, no edit button - put the above statement in the .htaccess file in the directory of the data file. Don't forget to include the extension of the file when you sub out YOUR-FILE-NAME-HERE .

 

[bezking]

Another Oops, this site NEEDS An EDIT FUNCTION!

Use this instead:
<Files YOUR-FILE-NAME-HERE>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>

 

[sen5241b]

Thanks for the suggestion but this method did not prevent me from having direct access to the file. I copy pasted your code and copy pasted the filenames into .htaccess (then re-tried everything with a different file to be sure) but no go.

Saw the following code (blogged in the php.net manual) but it did not seem the best way to protect a file from direct access:

 Order Allow,Deny
  Allow from env=PHP_ALLOW

Then in your PHP script, before sending any content or header:

<?php
$image = "/some/URL/path/test.png";
if (client_may_view_image($image)) {
  apache_setenv('PHP_ALLOW', '1');
  if (virtual($image))
    exit(0);
  echo "Ops, failed to fetched granted image $image (hammer your webmaster).\n";
} else
  echo "Sorry buddy, you're not allowed in here.\n";
?>

 

[sen5241b]

a couple other important notes! When finished the script needs to get rid of the var or it hangs on forever. I had better luck with putenv than apache_setenv. To get rid of var use:

putenv("TESTALPHA=TRUE");
if (getenv("TESTALPHA")) { echo 'it still here';}
else { echo 'it gone';}
putenv('TESTALPHA=');  //this deletes the var
if (getenv("TESTALPHA")) { echo 'it still here';}
else { echo 'it gone';}