buddyh — 2012-02-25T09:37:49-05:00 — #1
I am developing a backend for my site and I have put all of my forms for doing sql queries in includes/forms
My index & edit pages e.t.c. require login using the following code:
However, I can't put this code in my forms because it will throw an error for re-declaration, so I just put a .htaccess in the includes directory with deny from all.
So far, its doing exactly what I want, the forms include in my pages & everything works and if I use my browser to navigate to the includes/forms directory or any of the files inside it, I get a forbidden message. Great!
Is this a common way to protect such files, or might this lead to any problems that I haven't thought of?
simpeligent — 2012-02-25T09:56:36-05:00 — #2
afaik: if you use user/pw on that folder, ppl will be asked to login - even if the including page is NOT protected..
if you simply do something like
*.php deny all, it "should" work..
but I speak from memory - not tested recently..
if you want to use your qoted code, you need to buffer the output
on top of page make ob_start()
on bottom ob_end()
afaik you can redirect between those cpmmands with header..
you can even start a session in between because no output-stream is opened until the ob_end() or ob_flush()
buddyh — 2012-02-25T10:05:34-05:00 — #3
Ok thanks, I'm not sure how to password protect the directory itself with php, I only know how to protect the file.
I used straight deny all with .htaccess, no access to anything in that folder and my pages still include the files ok. I just tried to remotely include the form and that doesn't work, so it seems pretty secure, but I guess maybe I should look up how to protect directories with the same login.
simpeligent — 2012-02-25T10:19:08-05:00 — #4
no better not - for the include purpose, the password is the "no go"..
why it works with deny all and not with pw is that user/pw is I guess because it's a http action - after the output stream was opened - the "deny all" obviousely also applies to http-type access to this folder..
php-including happens - so to speak - on a layer above - so it is not affected by htaccess-rules
I guess we could say it that way: Apache reads the htaccess - not php!
the password user thing was just a problem I encountered once in the past, so I wanted to inform you about that possible problem
buddyh — 2012-02-25T11:11:25-05:00 — #5
Ah ok, that's a new lesson for me!
Thanks for this Hensel