Main Forums >> PC Music
        Print Thread

Pages: 1
OneWorld



Joined: 07/04/09
Posts: 1898
.htaccess
      #1115155 - 14/08/14 11:40 AM
I have done a little website which contains peoples names and address which I want to restrict to myself and a couple of other authorised users

I have managed to get password access set but think if anyone happened across the site, they could just type in the name of a .php file, for example allusers.php type that in the URL and then the casual user is in, circumventing the log.

I have read on the web that this can be avoided by using an .htaccess file with the following contents, and this file placed in the site's root folder...

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

Have done this, created the file, saved it as .htaccess and uploaded to the root folder, but still the filenames can be seen in the URL?

I am aware that UNIX makes a .htaccess file invisible, so yes I call it x.htaccess and rename it accordingly once uploaded


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Neokoenig



Joined: 24/05/08
Posts: 315
Loc: Oxford
Re: .htaccess new [Re: OneWorld]
      #1115189 - 14/08/14 02:27 PM
Use htpasswd and htaccess combined:
http://www.htaccesstools.com/htaccess-authentication/

&

http://www.htaccesstools.com/htpasswd-generator/

That'll block any access to a restricted set of users.

--------------------
Web Design ~
Drum Studio


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: Neokoenig]
      #1115220 - 14/08/14 08:11 PM
Quote Neokoenig:

Use htpasswd and htaccess combined:
http://www.htaccesstools.com/htaccess-authentication/

&

http://www.htaccesstools.com/htpasswd-generator/

That'll block any access to a restricted set of users.




Access to the website is already by way of UserID + Password. But once 'in' the files can be seen in the URL.

I have noticed on some sites it just gives the folder name but not the files within it. It is that which I am trying to achieve

Using the method you suggest above, does that mean I have to password protect every file the site consists of?


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: OneWorld]
      #1115227 - 14/08/14 11:41 PM
I did it, sort of using iframes, ok someone can right click and view the files, but am disabling right click. .htaccess would have been better but it seems that module isn't loaded - it is a free hosting company am using so I can't really complain

All I wanted to to put a list of names and addresses and phone numbers in an online php/SQL database, but for reasons of data protection, don't want the whole world to see them


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Neokoenig



Joined: 24/05/08
Posts: 315
Loc: Oxford
Re: .htaccess new [Re: OneWorld]
      #1115274 - 15/08/14 11:07 AM
To clarify what you're trying to do:

Let's say you have /telephone.php which renders a list of telephone numbers from a database;
URL rewriting could render that file as /telephone/, but won't stop access to /telephone.php (nor indeed /telephone/) if you know the URL.

If using .htaccess has been disabled from an apache config level (i.e higher up), you're sod out of the luck, likewise if the URL rewriting module hasn't been enabled.

So in order to secure data, assuming you've got a username/password system in place, you need to assign a session variable which declares whether the current user is logged in; here's a basic guide: http://stackoverflow.com/questions/1545357/how-to-check-if-a-user-is-logge d-in-in-php

Don't rely on iframes as a measure of security - remember I can just look at the source code of the page and access the iFrame directly, and don't rely on disabling right click, it's very easily overridden, and is (IMO) extremely annoying as an end user.

--------------------
Web Design ~
Drum Studio


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: OneWorld]
      #1115291 - 15/08/14 01:35 PM
Yep, thanks, that seems to make more sense, only a logged in user could do a guesswork search on a filename?

eg........www.mysite.com/directory.php

So each php page on the website would begin with a sessionid check and if that is empty then the user is redirected to login page?

eg...

login at index.php sessionid[1] => directory.php if sessionid[1] esle if sessionid[] then index.php?


Anyway I think I get it now and seems a much safer way of doing things, thanks


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Scramble
active member


Joined: 11/09/02
Posts: 2186
Re: .htaccess new [Re: OneWorld]
      #1115292 - 15/08/14 01:54 PM
What's the website? World United Paranoid Conspiracy Theorists?

If you're worried about someone guessing the filename just give it a hard-to-guess name.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: Scramble]
      #1115307 - 15/08/14 05:00 PM
Quote Scramble:

What's the website? World United Paranoid Conspiracy Theorists?

If you're worried about someone guessing the filename just give it a hard-to-guess name.




No it's called respecting peoples' privacy

There are legal/privacy issues involved, that on a 'need to know' basis wouldn't extend to yourself.

Suffice it to say - there's a reason for everything.

Apart from all that, I am bound by the Data Protection Act.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Scramble
active member


Joined: 11/09/02
Posts: 2186
Re: .htaccess new [Re: OneWorld]
      #1115318 - 15/08/14 06:42 PM
It might be nice to trust your bandmates. You know, to promote band harmony and all that.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Neokoenig



Joined: 24/05/08
Posts: 315
Loc: Oxford
Re: .htaccess new [Re: Scramble]
      #1115327 - 15/08/14 09:40 PM
Security through obscurity is not security at all.

--------------------
Web Design ~
Drum Studio


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: Scramble]
      #1115350 - 16/08/14 09:58 AM
Quote Scramble:

It might be nice to trust your bandmates. You know, to promote band harmony and all that.




Has no one ever got round to telling you - don't come to conclusions based on assumptions. The site has nothing to do with bandmates, it is a completely separate venture relating to a charitable cause I am volunteering for and privacy is a profound issue.

Am sorry am not inclined to trot out all the why's and wherefores as that doesn't really lead to the answer I am looking for, it is technical expertise I seek. Do you have that expertise?


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Neokoenig



Joined: 24/05/08
Posts: 315
Loc: Oxford
Re: .htaccess new [Re: OneWorld]
      #1115356 - 16/08/14 12:14 PM
Quote OneWorld:

Yep, thanks, that seems to make more sense, only a logged in user could do a guesswork search on a filename?

eg........www.mysite.com/directory.php

So each php page on the website would begin with a sessionid check and if that is empty then the user is redirected to login page?

eg...

login at index.php sessionid[1] => directory.php if sessionid[1] esle if sessionid[] then index.php?


Anyway I think I get it now and seems a much safer way of doing things, thanks




Basically, yep;

I actually tend to do a matrix in the session scope of boolean values, and then check against their existence dependent on role.

so if you had a user who had session.role = "admin", then you could look up the admin privs in the matrix dependent on permission + role.

This isn't PHP, but gives you an idea what I'm on about:
Role based permissions.

--------------------
Web Design ~
Drum Studio


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: OneWorld]
      #1115359 - 16/08/14 12:35 PM
Actually there only needs to be one login and there are a handful of trusted individuals who have the userID, Password. But the organisation itself is mindful of Data Protection issues and want to be sure that those in the database itself will not have their details disclosed to the world at large.

We, (the admin group) at present keep the details on each of our computers, but as the database grows, as you can imagine, version control is becoming an issue, so it occurred to me, why not an online database, seems to be the ideal as all members can instantly check details and edit as required, security is an issue though.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Neokoenig



Joined: 24/05/08
Posts: 315
Loc: Oxford
Re: .htaccess new [Re: OneWorld]
      #1115363 - 16/08/14 01:47 PM
Whilst it's not a glamorous solution (and your data protection policy may prevent it) - many people have solved this issue simply with a shared Google spreadsheet

--------------------
Web Design ~
Drum Studio


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: Neokoenig]
      #1115387 - 16/08/14 11:41 PM
Quote Neokoenig:

Whilst it's not a glamorous solution (and your data protection policy may prevent it) - many people have solved this issue simply with a shared Google spreadsheet




Well as it happens we use an outlook.com email which of course offers Excel online, but they complain about it not being as strightforward and 'snappy' as the web version I did, which is simple userID + Password and there all the info is, and one click to edit plus all the immediate buttons for queries.

I have been working on the Sessions thing you suggested and am getting there, I think! Thanks,


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
fieldrecords



Joined: 06/04/06
Posts: 7
Re: .htaccess new [Re: OneWorld]
      #1115391 - 17/08/14 06:56 AM
By the sound of it you just need to set a variable in session and if it is not set redirect to a page that tells the user that they are not logged in.

You could also look at a CRM like Sugar which has a free version and will give you lots of functionality.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
OneWorld



Joined: 07/04/09
Posts: 1898
Re: .htaccess new [Re: fieldrecords]
      #1115438 - 17/08/14 05:35 PM
Quote fieldrecords:

By the sound of it you just need to set a variable in session and if it is not set redirect to a page that tells the user that they are not logged in.

You could also look at a CRM like Sugar which has a free version and will give you lots of functionality.




Yes have used that method in the distant past, just forgot hoew to do it, will get my notes out though and I'll be fine, thanks


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
fieldrecords



Joined: 06/04/06
Posts: 7
Re: .htaccess new [Re: OneWorld]
      #1115450 - 17/08/14 08:20 PM
Here's a quick page that goes through the process.

http://www.sourcecodetuts.com/php/27/how-create-login-page-php-and-mysql-s ession

Let me know if you have any problems with it.


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Scramble
active member


Joined: 11/09/02
Posts: 2186
Re: .htaccess new [Re: OneWorld]
      #1115477 - 18/08/14 09:21 AM
Quote OneWorld:

Has no one ever got round to telling you - don't come to conclusions based on assumptions. The site has nothing to do with bandmates, it is a completely separate venture relating to a charitable cause I am volunteering for and privacy is a profound issue.




Not a band website? Well, snap my stays and call me granny!


Post Extras: Print Post   Remind Me!   Notify Moderator     Back to top
Pages: 1

Rate this thread

Jump to

Extra Information
0 registered and 9 anonymous users are browsing this forum.

Moderator:  David Etheridge, James Perrett, zenguitar, Martin Walker, Forum Admin, Hugh Robjohns, Zukan, Frank Eleveld, SOS News Editor,  
Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled
Rating:
Thread views: 1184

October 2014
On sale now at main newsagents and bookstores (or buy direct from the
SOS Web Shop)
SOS current Print Magazine: click here for FULL Contents list
Click image for October 2014
DAW Tips from SOS

 

Home | Search | News | Current Issue | Tablet Mag | Articles | Forum | Subscribe | Shop | Readers Ads

Advertise | Information | Privacy Policy | Support | Login Help

 

Email: Contact SOS

Telephone: +44 (0)1954 789888

Fax: +44 (0)1954 789895

Registered Office: Media House, Trafalgar Way, Bar Hill, Cambridge, CB23 8SQ, United Kingdom.

Sound On Sound Ltd is registered in England and Wales.

Company number: 3015516 VAT number: GB 638 5307 26

         

All contents copyright © SOS Publications Group and/or its licensors, 1985-2014. All rights reserved.
The contents of this article are subject to worldwide copyright protection and reproduction in whole or part, whether mechanical or electronic, is expressly forbidden without the prior written consent of the Publishers. Great care has been taken to ensure accuracy in the preparation of this article but neither Sound On Sound Limited nor the publishers can be held responsible for its contents. The views expressed are those of the contributors and not necessarily those of the publishers.

Web site designed & maintained by PB Associates | SOS | Relative Media