Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

.htaccess allow access to files only from includes

Tags:

php

apache

.htaccess

I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.

I tried using an .htaccess with 

<Files *>
    Order Allow,Deny
    Deny from All
</Files>

but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?

P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.

like image 795
Dimitris Damilos Avatar asked Mar 22 '12 15:03

Dimitris Damilos

3 Answers

I see a lot of answers with Allow,Deny not Deny,Allow

The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:

<Files .htaccess>
Order Allow,Deny 
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>

You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.

If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.

<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>

Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.

xxx.xxx.xxx.xxx = Your IP

like image 50
Real Investment Profit Avatar answered Oct 22 '22 06:10

Real Investment Profit

Do this:

<Files *>
    Order Deny,Allow 
    Allow from 192.168.100.123 127.0.0.1
    Deny from all
</Files>

The list of IP's will be specific hosts you allow, like localhost.

This also works with the directive, not just file, if you want only certain directories blocked.

like image 23
Ray Avatar answered Oct 22 '22 04:10

Ray

There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...

/var/www/mysite.com/

Store your include files here:

/var/includes/

Then include them with a full path...

include '/var/includes/myincludes.inc.php';

From the web, the myincludes.inc.php file is completely inaccessible.

like image 3
Surreal Dreams Avatar answered Oct 22 '22 05:10

Surreal Dreams
Sign in to Comment

Related questions

Regular expression to match hyphenated words
Zend_form_element_radio can't add class to label
How to calculate the time difference between unix time stamps?
Echoing session variables in php [duplicate]
Image Submit Button within a Form
PHP preg_replace: remove punctuation from beginning and end of string
Regex email - how to allow plus symbols in email?
Creating an array of objects in PHP
Session Variables in Opencart
Doctrine ODM - like operator syntax
Forbidden Error When Submitting Simple PHP Form
PHP Code to stop a script to run from browser
Add extra header information in codeigniter email
How to disable cPanel URLs
Finding where PHP errors are logged on Ubuntu server?
PHP: can't encode json with multiple rows [duplicate]
Using PHP as a CSS file?
PHP: Explode textarea lines as separate array element
How do you delete an in-memory SQLite database with PHP PDO?
Powerpoint PPT to JPG or PNG Image conversion using PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!