tags:

views:

258

answers:

4
Q: 

PHP/Apache Deny folder access to user but not to script

Hey all,

So I have this php web app, and one of my folder contains some files that can be downloaded.

I have a download script that modifies the headers, in order to always offer a download link. (instead of showing a picture for example, when you click on a link, a download box pops out)

Right now, if you enter a url like: http://www.mywebsite.com/content/ You get the listing of all the downloadable files, and of course, you can just download them all, without going through the website interface.

Personally, I don't think it's a problem, since I often use downthemall or other downloading tool, and this type of access is a great time saver....

But of course my company does not think so :-p They want people to use the interface in order to view the Ads...

Would they be a way, maybe with a protected .htaccess, to leave the folder access to my download script, but deny access to the users...?

I hope I am making sense and you know what I mean :)

All help/remarks appreciated!

A: 

Yes, this is correct. .access files block access to the users, but has no influence on local serverscripts.

Ikke  2010-04-19 13:53:08
+4  A: 

Move the folder out of the webserver's root directory so that apache will not server files from that directory at all. You can still include files from the folder if it is readable by the apache/http user, but your site users won't be able to access it from any url.

Scott Saunders  2010-04-19 13:53:26
I tried that before, but when using a download script that modifies the http headers, it did not work...My folder permissions are correct but...
Piero  2010-04-19 14:10:36
Hey @Piero, what the heck do you mean under "script that modifies the http headers"? And have you ever heard a word "debugging"?
Col. Shrapnel  2010-04-19 14:20:53
It works, I do it all the time. Your script can be fixed. (@Col: He means the script through which users are supposed to download the file. It adds headers to force a download.)
Scott Saunders  2010-04-19 14:23:27
A:  
Deny from all

in the .htaccess or move the files above document root

Col. Shrapnel  2010-04-19 13:59:06
+1  A: 

You can make a .htaccess file and enter Options -Indexes this will disable listing of the files in the directory.

If you also need the traffic to originate from your site you will need to make a file say... index.php with code that checks $_SERVER['HTTP_REFERER'] to see if the traffic originates from your site.

EDIT

Oh I forgot you can actually fix it all in the .htaccess:

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your-host.com/.*$ [NC]
RewriteRule ^.* /403-page [L,R]

This will do all the work of the script I suggested, so you won't need it anymore.

ksangers  2010-04-19 14:03:52
That sounds good, I will try it and let you know if it did what I wanted!
Piero  2010-04-19 14:11:17
referer check will always repel some fair users
Col. Shrapnel  2010-04-19 14:21:27
Alright :) If you need help with the index.php just 'shout'
ksangers  2010-04-19 14:22:35
This will not prevent people from downloading the files directly, just listing the contents of the directory.
Scott Saunders  2010-04-19 14:24:11
@Col. Shrapnel: Absolutely, I would never choose that solution either, but it appears Piero's bosses/manager/... want just that though.
ksangers  2010-04-19 14:24:12
@Scott Saunders: that's why I hinted at the index.php that checks the $_SERVER['HTTP_REFERER'] to allow or deny access.
ksangers  2010-04-19 14:25:44
@Scott how this referer checking in the **script** will prevent **direct** (i.e. avoiding script) file access?
Col. Shrapnel  2010-04-19 14:31:08
@Col. Shrapnel: I think you're getting me mixed up with ksangers. I agree with you (Col.) completely, the script cannot prevent direct access.
Scott Saunders  2010-04-19 14:54:10
@Scott Saunders: Actually the script can block it. You need to enable `RewriteEngine` and add `RewriteRule ^.*$ index.php` to the .htaccess so all traffic goes to the index.php that handles what goes through and what does not.
ksangers  2010-04-19 15:02:47
Piero  2010-04-20 06:32:44

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases