kbit
asked on
htaccess rewrite to prevent direct file access
Hi,
I have a website, let's call it "www.somewhere.com"
This website has a directory called "orderuploads" into which people can upload files using my website.
These uploaded files must only be accessible by one URL "www.somewhere.com/uploadorders.php"
Accessing the uploaded files directly like "www.somewhere.com/orderuploads/image.jpg" via a browser must be prevented.
From what I can gather, htaccess must be used with a rewrite but can someone please provide the necessary code?
Thanks in advance
I have a website, let's call it "www.somewhere.com"
This website has a directory called "orderuploads" into which people can upload files using my website.
These uploaded files must only be accessible by one URL "www.somewhere.com/uploadorders.php"
Accessing the uploaded files directly like "www.somewhere.com/orderuploads/image.jpg" via a browser must be prevented.
From what I can gather, htaccess must be used with a rewrite but can someone please provide the necessary code?
Thanks in advance
ASKER
Thanks for those suggestions.
I tried
and it nicely prevents the direct access but it also prevents the file being opened/downloaded via "www.somewhere.com/uploadorders.php". I need the latter
I tried
order deny,allow
deny from all
and it nicely prevents the direct access but it also prevents the file being opened/downloaded via "www.somewhere.com/uploadorders.php". I need the latter
Hmmm...
Since I can't test... Something like this maybe?
Since I can't test... Something like this maybe?
RewriteCond %{HTTP_HOST} ^xxx\.com$
RewriteRule ^$ http://www.xxx.com/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?xxx\.com/ [NC]
RewriteRule ^_files/uploadorders/[^.]+\.(jpe?g|gif|bmp|png)$ - [F,NC]
ASKER
That allows the file to be accessed directly and also using the website
It's difficult without testing, I'm not doing htaccess editing all time :-)
What if we take the first one again but amend it like this:
I'll keep scratching my brain.
What if we take the first one again but amend it like this:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
I'll keep scratching my brain.
ASKER
Thanks for your help.
The more I think about it the more I think it might not be possible.
For example, there may not be any difference between accessing a file directly using a URL and accessing it through the website, they're still under a domain (127.0.0.1).
A better way might be for me to add an index file to the folder preventing file listings. Then when the files are being uploaded, disguise their names. So instead of "logo.jpg", use "logo_20130626125312.jpg" which would be yyyymmddhhmmss
The more I think about it the more I think it might not be possible.
For example, there may not be any difference between accessing a file directly using a URL and accessing it through the website, they're still under a domain (127.0.0.1).
A better way might be for me to add an index file to the folder preventing file listings. Then when the files are being uploaded, disguise their names. So instead of "logo.jpg", use "logo_20130626125312.jpg" which would be yyyymmddhhmmss
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I only got two of the suggested ideas to work...one idea proposed by spravtek, one by me
Open in new window
Or if you want to allow access to certain files:
Open in new window
You might need to play around with the order of "Allow,Deny" depending on the use.
"Order Deny,Allow" means that the deny rules are processed before the allow rules and vice versa.