You are here

.htaccess

For anything relating to music-making on Windows computers, with lots of FAQs. Moderated by Martin Walker.

.htaccess

Postby OneWorld » Thu Aug 14, 2014 11:40 am

I have done a little website which contains peoples names and address which I want to restrict to myself and a couple of other authorised users

I have managed to get password access set but think if anyone happened across the site, they could just type in the name of a .php file, for example allusers.php type that in the URL and then the casual user is in, circumventing the log.

I have read on the web that this can be avoided by using an .htaccess file with the following contents, and this file placed in the site's root folder...

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

Have done this, created the file, saved it as .htaccess and uploaded to the root folder, but still the filenames can be seen in the URL?

I am aware that UNIX makes a .htaccess file invisible, so yes I call it x.htaccess and rename it accordingly once uploaded
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Neokoenig » Thu Aug 14, 2014 2:27 pm

Use htpasswd and htaccess combined:
http://www.htaccesstools.com/htaccess-authentication/

&

http://www.htaccesstools.com/htpasswd-generator/

That'll block any access to a restricted set of users.
User avatar
Neokoenig
Regular
Posts: 217
Joined: Fri May 23, 2008 11:00 pm
Location: Oxford

 


Re: .htaccess

Postby OneWorld » Thu Aug 14, 2014 8:11 pm

Neokoenig wrote:Use htpasswd and htaccess combined:
http://www.htaccesstools.com/htaccess-authentication/

&

http://www.htaccesstools.com/htpasswd-generator/

That'll block any access to a restricted set of users.

Access to the website is already by way of UserID + Password. But once 'in' the files can be seen in the URL.

I have noticed on some sites it just gives the folder name but not the files within it. It is that which I am trying to achieve

Using the method you suggest above, does that mean I have to password protect every file the site consists of?
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby OneWorld » Thu Aug 14, 2014 11:41 pm

I did it, sort of using iframes, ok someone can right click and view the files, but am disabling right click. .htaccess would have been better but it seems that module isn't loaded - it is a free hosting company am using so I can't really complain

All I wanted to to put a list of names and addresses and phone numbers in an online php/SQL database, but for reasons of data protection, don't want the whole world to see them
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Neokoenig » Fri Aug 15, 2014 11:07 am

To clarify what you're trying to do:

Let's say you have /telephone.php which renders a list of telephone numbers from a database;
URL rewriting could render that file as /telephone/, but won't stop access to /telephone.php (nor indeed /telephone/) if you know the URL.

If using .htaccess has been disabled from an apache config level (i.e higher up), you're sod out of the luck, likewise if the URL rewriting module hasn't been enabled.

So in order to secure data, assuming you've got a username/password system in place, you need to assign a session variable which declares whether the current user is logged in; here's a basic guide: http://stackoverflow.com/questions/1545357/how-to-check-if-a-user-is-logged-in-in-php

Don't rely on iframes as a measure of security - remember I can just look at the source code of the page and access the iFrame directly, and don't rely on disabling right click, it's very easily overridden, and is (IMO) extremely annoying as an end user.
User avatar
Neokoenig
Regular
Posts: 217
Joined: Fri May 23, 2008 11:00 pm
Location: Oxford

 


Re: .htaccess

Postby OneWorld » Fri Aug 15, 2014 1:35 pm

Yep, thanks, that seems to make more sense, only a logged in user could do a guesswork search on a filename?

eg........www.mysite.com/directory.php

So each php page on the website would begin with a sessionid check and if that is empty then the user is redirected to login page?

eg...

login at index.php sessionid[1] => directory.php if sessionid[1] esle if sessionid[] then index.php?


Anyway I think I get it now and seems a much safer way of doing things, thanks
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Scramble » Fri Aug 15, 2014 1:54 pm

What's the website? World United Paranoid Conspiracy Theorists?

If you're worried about someone guessing the filename just give it a hard-to-guess name.
Scramble
Frequent Poster
Posts: 2286
Joined: Tue Sep 10, 2002 11:00 pm

 


Re: .htaccess

Postby OneWorld » Fri Aug 15, 2014 5:00 pm

Scramble wrote:What's the website? World United Paranoid Conspiracy Theorists?

If you're worried about someone guessing the filename just give it a hard-to-guess name.

No it's called respecting peoples' privacy

There are legal/privacy issues involved, that on a 'need to know' basis wouldn't extend to yourself.

Suffice it to say - there's a reason for everything.

Apart from all that, I am bound by the Data Protection Act.
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Scramble » Fri Aug 15, 2014 6:42 pm

It might be nice to trust your bandmates. You know, to promote band harmony and all that.
Scramble
Frequent Poster
Posts: 2286
Joined: Tue Sep 10, 2002 11:00 pm

 


Re: .htaccess

Postby Neokoenig » Fri Aug 15, 2014 9:40 pm

Security through obscurity is not security at all.
User avatar
Neokoenig
Regular
Posts: 217
Joined: Fri May 23, 2008 11:00 pm
Location: Oxford

 


Re: .htaccess

Postby OneWorld » Sat Aug 16, 2014 9:58 am

Scramble wrote:It might be nice to trust your bandmates. You know, to promote band harmony and all that.

Has no one ever got round to telling you - don't come to conclusions based on assumptions. The site has nothing to do with bandmates, it is a completely separate venture relating to a charitable cause I am volunteering for and privacy is a profound issue.

Am sorry am not inclined to trot out all the why's and wherefores as that doesn't really lead to the answer I am looking for, it is technical expertise I seek. Do you have that expertise?
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Neokoenig » Sat Aug 16, 2014 12:14 pm

OneWorld wrote:Yep, thanks, that seems to make more sense, only a logged in user could do a guesswork search on a filename?

eg........www.mysite.com/directory.php

So each php page on the website would begin with a sessionid check and if that is empty then the user is redirected to login page?

eg...

login at index.php sessionid[1] => directory.php if sessionid[1] esle if sessionid[] then index.php?


Anyway I think I get it now and seems a much safer way of doing things, thanks

Basically, yep;

I actually tend to do a matrix in the session scope of boolean values, and then check against their existence dependent on role.

so if you had a user who had session.role = "admin", then you could look up the admin privs in the matrix dependent on permission + role.

This isn't PHP, but gives you an idea what I'm on about:
Role based permissions.
User avatar
Neokoenig
Regular
Posts: 217
Joined: Fri May 23, 2008 11:00 pm
Location: Oxford

 


Re: .htaccess

Postby OneWorld » Sat Aug 16, 2014 12:35 pm

Actually there only needs to be one login and there are a handful of trusted individuals who have the userID, Password. But the organisation itself is mindful of Data Protection issues and want to be sure that those in the database itself will not have their details disclosed to the world at large.

We, (the admin group) at present keep the details on each of our computers, but as the database grows, as you can imagine, version control is becoming an issue, so it occurred to me, why not an online database, seems to be the ideal as all members can instantly check details and edit as required, security is an issue though.
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby Neokoenig » Sat Aug 16, 2014 1:47 pm

Whilst it's not a glamorous solution (and your data protection policy may prevent it) - many people have solved this issue simply with a shared Google spreadsheet :)
User avatar
Neokoenig
Regular
Posts: 217
Joined: Fri May 23, 2008 11:00 pm
Location: Oxford

 


Re: .htaccess

Postby OneWorld » Sat Aug 16, 2014 11:41 pm

Neokoenig wrote:Whilst it's not a glamorous solution (and your data protection policy may prevent it) - many people have solved this issue simply with a shared Google spreadsheet :)

Well as it happens we use an outlook.com email which of course offers Excel online, but they complain about it not being as strightforward and 'snappy' as the web version I did, which is simple userID + Password and there all the info is, and one click to edit plus all the immediate buttons for queries.

I have been working on the Sessions thing you suggested and am getting there, I think! Thanks,
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby fieldrecords » Sun Aug 17, 2014 6:56 am

By the sound of it you just need to set a variable in session and if it is not set redirect to a page that tells the user that they are not logged in.

You could also look at a CRM like Sugar which has a free version and will give you lots of functionality.
fieldrecords
Poster
Posts: 11
Joined: Wed Apr 05, 2006 11:00 pm

 


Re: .htaccess

Postby OneWorld » Sun Aug 17, 2014 5:35 pm

fieldrecords wrote:By the sound of it you just need to set a variable in session and if it is not set redirect to a page that tells the user that they are not logged in.

You could also look at a CRM like Sugar which has a free version and will give you lots of functionality.

Yes have used that method in the distant past, just forgot hoew to do it, will get my notes out though and I'll be fine, thanks
OneWorld
Frequent Poster
Posts: 2060
Joined: Mon Apr 06, 2009 11:00 pm

Re: .htaccess

Postby fieldrecords » Sun Aug 17, 2014 8:20 pm

Here's a quick page that goes through the process.

http://www.sourcecodetuts.com/php/27/how-create-login-page-php-and-mysql-session

Let me know if you have any problems with it.
fieldrecords
Poster
Posts: 11
Joined: Wed Apr 05, 2006 11:00 pm

 


Re: .htaccess

Postby Scramble » Mon Aug 18, 2014 9:21 am

OneWorld wrote:Has no one ever got round to telling you - don't come to conclusions based on assumptions. The site has nothing to do with bandmates, it is a completely separate venture relating to a charitable cause I am volunteering for and privacy is a profound issue.


Not a band website? Well, snap my stays and call me granny!
Scramble
Frequent Poster
Posts: 2286
Joined: Tue Sep 10, 2002 11:00 pm

 



Who is online

Users browsing this forum: No registered users and 1 guest