7 Replies - 3787 Views - Last Post: 06 September 2012 - 02:27 AM

#1 Bocard  Icon User is offline

  • D.I.C Head

Reputation: 15
  • View blog
  • Posts: 223
  • Joined: 24-September 08

Apache (lamp) .htaccess question

Posted 05 September 2012 - 05:57 AM

Hi guys,

How's it going?

I have a problem and maybe someone can help me.

I have some files on the server which are protected using htaccess. My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality). Is there a way to specify that those protected files should be accessible if they are accessed from my form? Otherwise request password or something similar?
What are my options in order to be able to protect my files but still let them be accessed by the form (which is available for users)?


I posted my question here since my code is written in php, I am sorry if this is not the right place.

Thank you very much for your time.

Is This A Good Question/Topic? 0
  • +

Replies To: Apache (lamp) .htaccess question

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3576
  • View blog
  • Posts: 10,442
  • Joined: 08-June 10

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 06:37 AM

for .htaccess there is no difference if your form tries to access the file or anyone else. both types are regular HTTP requests (there might be a possibility to exclude GET, but not POST, though thatís no guarantee either).

maybe the better possibility is to use an accessible Front Controller that accesses those files after verifying that the request is indeed coming from your form (e.g. by session, login or a validation code)
Was This Post Helpful? 1
  • +
  • -

#3 KingCuddles  Icon User is offline

  • D.I.C Regular

Reputation: 176
  • View blog
  • Posts: 496
  • Joined: 20-December 08

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 07:47 AM

Never being one to question Dormilich, unless I am missing something, could you not do something like:

order deny, allow
deny from all
allow from 11.11.11.11



Where 11.11.11.11 is your web servers IP?

Not 100% sure if this would work or not, I am sure a Apache guru will correct me!

Edit: Obviously you are using a form and I some how managed to miss that. Although Ajax may still allow you to do this?

This post has been edited by KingCuddles: 05 September 2012 - 07:50 AM

Was This Post Helpful? 0
  • +
  • -

#4 StefanOnRails  Icon User is offline

  • D.I.C Head

Reputation: 35
  • View blog
  • Posts: 106
  • Joined: 31-July 12

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 08:29 AM

View PostBocard, on 05 September 2012 - 02:57 PM, said:

My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality).

Do you really need to protect that controller.php?
Why don't you just check if( isset($_POST['submit']) ) and die('Some error') / redirect the user if not? I usually don't protect my php files via htaccess to avoid this kind of problems.

This post has been edited by StefanOnRails: 05 September 2012 - 08:30 AM

Was This Post Helpful? 1
  • +
  • -

#5 Bocard  Icon User is offline

  • D.I.C Head

Reputation: 15
  • View blog
  • Posts: 223
  • Joined: 24-September 08

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 10:54 AM

Thank you all for the replies, I will see what I can do...so far i haven't decided how to approach this.

View PostStefanOnRails, on 05 September 2012 - 05:29 PM, said:

View PostBocard, on 05 September 2012 - 02:57 PM, said:

My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality).

Do you really need to protect that controller.php?
Why don't you just check if( isset($_POST['submit']) ) and die('Some error') / redirect the user if not? I usually don't protect my php files via htaccess to avoid this kind of problems.



I can't do that since some of the functionality of the Controller.php is returning some values from the db to Ajax to let the user know if his email is in our system or not. If it's not, he can't use it.
Was This Post Helpful? 0
  • +
  • -

#6 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3576
  • View blog
  • Posts: 10,442
  • Joined: 08-June 10

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 01:01 PM

@KingCuddles: for the server there is no difference between a formís request and an AJAXís request.
Was This Post Helpful? 0
  • +
  • -

#7 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5393
  • View blog
  • Posts: 27,387
  • Joined: 10-May 07

Re: Apache (lamp) .htaccess question

Posted 05 September 2012 - 01:05 PM

As indicated in the topic, this is an Apache question, & not a php coding question. Moving to Web Servers & Hosting.
Was This Post Helpful? 0
  • +
  • -

#8 StefanOnRails  Icon User is offline

  • D.I.C Head

Reputation: 35
  • View blog
  • Posts: 106
  • Joined: 31-July 12

Re: Apache (lamp) .htaccess question

Posted 06 September 2012 - 02:27 AM

View PostBocard, on 05 September 2012 - 07:54 PM, said:

I can't do that since some of the functionality of the Controller.php is returning some values from the db to Ajax to let the user know if his email is in our system or not. If it's not, he can't use it.

So your data is sent via Ajax? OK, I see 2 possible solutions for your issue:

  • Add your 'submit' value to your POST list manually:
    $("form#user_form").submit(function(){
    	var form_data = $(this).serializeArray();
    	form_data.push({name: 'submit', value: true});
    	$.post("your_page.php",form_data,function(data){
    		...
    	});
    	return false;
    });
    	
    
    and then you can check if( isset($_POST['submit']) ). On the second thought, if your request is sent immediately after the user enters the e-mail (so you don't press the submit button), you can add custom variables inside your $.post function:
    $.post("your_page.php",{yourVarName: "someValue"},function(data){ 
    ... 
    });
    
    and then, of course, you can check if the PHP var $_POST['yourVarName'] is set.

  • Solve the problem server-side by adding the following check:
    // Block non-Ajax access
    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'){
    ...
    }else die('Non-Ajax');
    

I read somewhere that the second approach works only because Javascript libraries such as JQuery send that request header, so it may not work if your Ajax request is sent via pure Javascript (however, I never tested without JQuery, so it may not be entirely true).

This post has been edited by StefanOnRails: 06 September 2012 - 02:37 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1