We help IT Professionals succeed at work.

Directory protection with php

macgruder asked
I know how do protect Directories with Apache .htpasswd thingy, and can easily protect individual files with
php/mysql logging system.

Is there a way to protect *directories* with a mysql/php logging system perhaps integrating with apache.

The main point is to protect image directories. I know that they can be protected with apache via the deny from directive but it's fairly easy to get round this kind of protection, with a bot sending erroneous headers.

Watch Question

Do you have a working example of such a bot?

If you disable Indexes in apache configuration you can prevent the listing of directories.
Richard QuadlingSenior Software Developer

I may be dumb, but if your server uses index.html as the start document for a directory, why not put a simple index.html which redirects back to the home page?


I'm really after something more secure than just hiding the directory contents.
For example, I have pdf files in a directory to which members have access. Suppose these are labelled 01.pdf 02.pdf etc then of course there would be links in the html to these pages.

Now suppose that a membership is cancelled. Then that person just has to type http://whatever.com/members/pdfs/01.pdf to download the file. Now I can use the

deny from all, allow from .whatever.com

apache directory, but to answer datibbaW's question all I have to do is use curl in the command line:

curl -O 'http://whatever.com/members/pdfs/[01-99].pdf' -referer 'http://whatever.com/'

to get all 99 pdfs!

Of course, I can use more random names than 01-99, but I'm just hoping that there is a better way!

One solution is to keep the pdfs themselves as binaries in the database, and have a password protected script to grab the binaries, but I'm a little worried that this way would be a burden on the database.


I heard something about authMySQL - an apache module


I think this is what you want, since you've got memberships and all; you can write a php-script for administration of your users.

authmysql is a module which needs to be compiled for apache and loaded using the LoadModule directive in the httpd.conf
I have a trick that I use to do something sorta like that .... what I do is I put all those "maybe I'll let you access me" files in a non-web accessible directory, then I have a php page that checks to see if a users logged in and if its all good it just headers the proper content type and does
while (!feof($f)) {
$str = fgets($f);
print $str;


Thanks webhermit - I'll try that and get back to you. hugely busy at the moment so it may take a couple of days!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.