macgruder
asked on
Directory protection with php
I know how do protect Directories with Apache .htpasswd thingy, and can easily protect individual files with
php/mysql logging system.
Is there a way to protect *directories* with a mysql/php logging system perhaps integrating with apache.
The main point is to protect image directories. I know that they can be protected with apache via the deny from directive but it's fairly easy to get round this kind of protection, with a bot sending erroneous headers.
php/mysql logging system.
Is there a way to protect *directories* with a mysql/php logging system perhaps integrating with apache.
The main point is to protect image directories. I know that they can be protected with apache via the deny from directive but it's fairly easy to get round this kind of protection, with a bot sending erroneous headers.
I may be dumb, but if your server uses index.html as the start document for a directory, why not put a simple index.html which redirects back to the home page?
ASKER
I'm really after something more secure than just hiding the directory contents.
For example, I have pdf files in a directory to which members have access. Suppose these are labelled 01.pdf 02.pdf etc then of course there would be links in the html to these pages.
Now suppose that a membership is cancelled. Then that person just has to type http://whatever.com/members/pdfs/01.pdf to download the file. Now I can use the
deny from all, allow from .whatever.com
apache directory, but to answer datibbaW's question all I have to do is use curl in the command line:
curl -O 'http://whatever.com/members/pdfs/[01-99].pdf' -referer 'http://whatever.com/'
to get all 99 pdfs!
Of course, I can use more random names than 01-99, but I'm just hoping that there is a better way!
One solution is to keep the pdfs themselves as binaries in the database, and have a password protected script to grab the binaries, but I'm a little worried that this way would be a burden on the database.
For example, I have pdf files in a directory to which members have access. Suppose these are labelled 01.pdf 02.pdf etc then of course there would be links in the html to these pages.
Now suppose that a membership is cancelled. Then that person just has to type http://whatever.com/members/pdfs/01.pdf to download the file. Now I can use the
deny from all, allow from .whatever.com
apache directory, but to answer datibbaW's question all I have to do is use curl in the command line:
curl -O 'http://whatever.com/members/pdfs/[01-99].pdf' -referer 'http://whatever.com/'
to get all 99 pdfs!
Of course, I can use more random names than 01-99, but I'm just hoping that there is a better way!
One solution is to keep the pdfs themselves as binaries in the database, and have a password protected script to grab the binaries, but I'm a little worried that this way would be a burden on the database.
ASKER
I heard something about authMySQL - an apache module
listening....
I think this is what you want, since you've got memberships and all; you can write a php-script for administration of your users.
authmysql is a module which needs to be compiled for apache and loaded using the LoadModule directive in the httpd.conf
authmysql is a module which needs to be compiled for apache and loaded using the LoadModule directive in the httpd.conf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks webhermit - I'll try that and get back to you. hugely busy at the moment so it may take a couple of days!
If you disable Indexes in apache configuration you can prevent the listing of directories.