PHP Upload Script conflicts wtih HTPASSWD

Posted on 2008-11-11
Last Modified: 2012-05-05
Hi All,

I'm using a free PHP Upload script found here:

It's just what my client needs for their website.  I've got everything working as planned, however, it appears that the administrative login function in the PHP script conflicts with my HTACCESS password protected directory.  Very simply, the script resides in the folder that is protected.  Its an upload function that is privy to clients only, not the public.  When you are prompted by HTACCESS on page load, the username and password that exists in .htpasswd works like a charm.  However, when you try to login to the administrative section of the script, it fails.  I think this is happening because the script is using HTTP authentication which conflicts.

Any help is greatly appreciated.
Here's the code from the config.php script:


$config['admin_actived'] = true;

$config['admin_username'] = "username";

$config['admin_password'] = "password";


Here's the code from my index.php page:


$auth = !$config['admin_actived'];

authorize(true); //silent authorize first

if (isset($_GET["admin"])) {


	Header("Location: ".rooturl());



Here's the code from my .htaccess:


AuthUserFile .htpasswd

AuthGroupFile /dev/null

AuthName EnterPassword

AuthType Basic


require valid-user


RewriteEngine on


RewriteCond %{QUERY_STRING} ^$

RewriteRule ([^\s]+).php$ $1.php?BAD_HOSTING=%{HTTP:Authorization}


RewriteCond %{QUERY_STRING} ^(.+)$

RewriteRule ([^\s]+).php $1.php?%1&BAD_HOSTING=%{HTTP:Authorization}

Open in new window

Question by:pmagony
    LVL 27

    Accepted Solution

    > I think this is happening because the script is using HTTP authentication which conflicts.

    Yes, you can't use two HTTP authentication layers at the same time. If you're authenticated in /foo via .htaccess, you're not authenticated in your php script, if you're now authenticated in/for your php script, you're not authenticated for the webserver (.htaccess); this process loops.

    Possible "solution": Don't use HTTP auth for your php script (may be in favor of a login form which checks the supplied username/password and uses a session to store the login).
    LVL 9

    Author Closing Comment

    Thank you for your response.  Here's what I ended up doing... I ended up making sure that the HTTP auth user/pass in the PHP script matched the user/pass for "administrator" in my htaccess/htpasswd files.  This way, when I login on the first layer, it automatically authenticates me with the script.

    All other user/pass combos are not admin so it works out perfectly.

    I'm going to credit you the points for setting my marbles back in order.

    Thanks bud!

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now