Save special characters in htaccess file

Hi E's,
I try to save some code to .htaccess file, but unfortunately I have problems with the characters "<" and ">".
I have this code:
$final = "<IfModule mod_rewrite.c>"
file_put_contents('/home/anaepedro/www/.htaccess', $final);

Open in new window

The output of $final is a empty string.
I change my code for:
$urls[] = "&lt;" . "IfModule mod_rewrite.c" . "&gt;";

Open in new window

, the output is what I looking for: "<IfModule mod_rewrite.c>", that's good.
The problem is, when I save the code to the file, they will appear again like this: &lt;IfModule mod_rewrite.c&gt; in the htaccess file.

How I save in .htaccess file the string with the characters "<" and ">" correctly?

The best regards, JC
LVL 4
Pedro ChagasWebmasterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Olaf DoschkeSoftware DeveloperCommented:
What do you mean with "output". When you display anything in a browser, which has brackets like these, it interprets this as tag and tags don't show. That's all, I think.

Look into the .htaccess file after FTP download, not via Browser.

Or right-click and "Show Page Source". The output IS there.

Bye, Olaf.
0
Pedro ChagasWebmasterAuthor Commented:
Hi @Olaf,
The output is when I do a echo after the code.
In FTP download:
the file .htaccess
So what I can do here?

~JC
0
Olaf DoschkeSoftware DeveloperCommented:
You have to revert to the original with < and >, of course.
&lt; and &gt; only change output in the browser, but are written out as is, you don't want that.

Everything was okay initially, you had a false alarm.

Bye, Olaf.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Pedro ChagasWebmasterAuthor Commented:
In my case, is not false alarm.
For example, if I do this: echo "<hello>"; The result of echo is nothing.

~JC
0
Olaf DoschkeSoftware DeveloperCommented:
As siad, when you echo something with tag brackets to a browser,it doesn't appear rendered.

If you write out ANY html tag, does it appear?

Have you looked at the page source code? It's there.

But if you write <hello> to a file, it's <hello> in the file, and if you write &lt;hello&gt; to a file, it's &lt;hello&gt; in the file.

You just look at the text with the wrong tool, a browser doesn't display ANY tag, also not tags, that are not valid HTML tags. Still, it's there.

Bye, Olaf.
0
Olaf DoschkeSoftware DeveloperCommented:
When you still don't see it, output what you write into .htaccess inside a textarea:

//...
$final = "<IfModule mod_rewrite.c>";
file_put_contents('/home/anaepedro/www/.htaccess', $final);
//whatever else and more you add to the .htaccess file

echo '<textarea style="width:800px; height:600px;" readonly>';
include '/home/anaepedro/www/.htaccess';
echo '</textarea>';
//...

Open in new window


You shouldn't have any PHP script outputting .htaccess files, though, they can contain sensitive information, too, so actually you should FTP get the generated .htaccess and simply watch it in your favorite text editor, not in a browser, then you see what got into the file, and - surprise - it's literally what you had written to it.

What a browser does with any tag is interpreting it, and when it doesn't know a tag like <hello> or <IfModule mod_rewrite.c> it simply ignores it, but it never displays it. Using &lt; for < and &gt; for > lets the browser display < and >, but what's written to the file then literally is &lt; and &gt;, this just helps with the browser display without using a textarea, but it doesn't get what you want into the .htaccess file.

So yes, it was still false alarm, you're just not understanding a browser as HTML interpreter, it's not a text file display. When PHP sends Content-Type: text/html (and it always does, unless you override that), the browser displays anything you send it as HTML - even when you don't send out a <html> tag itself - and that means anything in pointy brackets is not shown but is interpreted as HTML, even non standard HTML tags, which means they are also not displayed but simply ignored. You still can see them in the page source.

Bye, Olaf.
1
Julian HansenCommented:
For example, if I do this: echo "<hello>"; The result of echo is nothing.
If viewing in a browser then do a View Source on the page to see the actual content. As Olaf pointed out anything that looks like a tag the browser will interpret as a tag and not render to the screen. The View Source output is the raw source.
1
Pedro ChagasWebmasterAuthor Commented:
Hello,
Olaf have a reason, yesterday I'm tired and don't think well.
This night in my office I will try again. I have tested in my library, and work well. I want to view the script in real situation.
I will give feed back later.
Thank you for both.

~ JC
0
Olaf DoschkeSoftware DeveloperCommented:
There is no doubt about the reasoning, but of course, test as you like. Just remember you always work in the realm of HTTP responses. The web server automatically adds at least the Content-Length header and a Content-Type header as said defaults to text/html. Many more headers are automatic and may respond to the request headers. All this is just not very obvious and always on the mind of PHP developers.

So as the client displaying the response is a browser, it does not only render in HTML mode when the response body begins with an HTML doctype nor an HTML tag, it's interpreting the response as HTML because of the Content-Type header and handles all discrepancies by rendering in quirks mode. That's not the reason the tags become hidden from display, that's also the case when the document is fully valid HTML (or apart from your unknown tags).

You can also let a browser display all your response body as plain text by first sending a header:
header('Content-Type: text/plain');

Open in new window


Adding that to my code (before any other echo output) you will also see the textarea tag displayed, simply all text of the response.

Only when you use other client tools, eg look into the raw response with curl you'll see all your text despite the text/html Content-Type header, but the same is true when viewing the page source.

Bye, Olaf.
1
gr8gonzoConsultantCommented:
No points for this - I just wanted to reiterate something that Olaf said:
You shouldn't have any PHP script outputting .htaccess files, though

You really need to pay attention to this phrase. The .htaccess file is very powerful. It's basically allowing you to override / extend the web server configuration. When someone eventually finds a vulnerability and possibly discovers that they can write content to .htaccess, they can do lots of malicious things. You NEVER want the .htaccess file to be able to be written to / updated by PHP. Your .htaccess file should normally use permissions 644 and be owned by root or some other user other than the web server user.
1
Olaf DoschkeSoftware DeveloperCommented:
I fully agree with gr8gonzo. I see a good usage of generated .htaccess files when they are not overseeable anymore. Or you do so for generating base .htaccess files with some dynamic variation when you have to maintain a big folder hierarchy.

Whatever reason, you can check what ends up in them via any text editor, when you're acting on the site directly. And when you act remotely then first FTP get them, as I mentioned, too.

Such scripts should not be available to run for anyone. Even just displaying content of .htaccess compares to a script executing phpinfo(). Your convenience of getting at that info easily becomes an open door for anyone interested to find vulnerabilities. Not only direct vulnerabilities, but also indirect, if a hacker knows weak points of certain version of PHP or of modules, it can be valuable info to just see what your server runs.

For the same reason of keeping sensitive information internal, PHP comes with php.ini-development and php.ini-production for easy switching of settings like error reporting. You sure want to see errors when developing but keep hints internal in production.

Bye, Olaf.
0
Pedro ChagasWebmasterAuthor Commented:
Hi E's,
First of all, thanks for the clarifications, in the part of the question, as well as the consequences.
This question, in fact, was a distraction. Who has not had doubts, even in very simple things?!
The question does not make sense, but I have to give the points.
Just to finish, and expert's spoke in security, I would like to show you my code. This script change the permissions of .htaccess for 777, write the file, and change the permission again to 644. I don't copy the code from any example or idea, Eventually I might even be doing the stupidest thing in the world, but I'd like to hear your opinion:
<?
    include "database.php";
    
    $urls[] = "<IfModule mod_rewrite.c>";    
    
    //Sistema para Criar URL's amigaveis de todo o sistema. Cada vez que é criado um novo URL amigavel, seja ele de que natureza for, o sistema roda este ficheiro, e o mesmo vai recriar todos os URL's amigaveis'
    
    //Começa pelos estáticos
    $consulta = $pdo->query("SELECT ficheiro, url_amigavel FROM paginas_estaticas where ficheiro != 'index.php'");
        while($final = $consulta->fetch(PDO::FETCH_ASSOC)){
            $urls[] = "RewriteRule " . "^" . $final[url_amigavel] . "$ /" . $final[ficheiro] . " [NC,L]";  
        }
    
    $urls[] = "</IfModule>";
    $final = implode("\n", $urls);

$pasta = "/www/.htaccess";
$conn_id = ftp_connect($ftp_server); 
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); 
if (ftp_chmod($conn_id, 0777, $pasta) !== false) {
 
file_put_contents('/home/anaepedro/www/.htaccess', $final);
 
ftp_chmod($conn_id, 0644, $pasta);
ftp_close($conn_id);
}
?>

Open in new window


~JC
0
gr8gonzoConsultantCommented:
Well, you are using FTP to connect and do a chmod to a remote file, but you are writing to a local file. If PHP cannot write to the file without the FTP doing the chmod (maybe the FTP is using a separate account that CAN write to the file), then just write your data to a local temp file and use FTP to upload it with an ftp_put() call.

Then, you don't have to chmod the file at all.

Or even better, use a cron job that has a user who has permissions to write to the file directly, so you don't have to use the FTP extension at all.
0
Pedro ChagasWebmasterAuthor Commented:
(maybe the FTP is using a separate account that CAN write to the file
, yes it is. I have a subdomain where I have the contro panel of the project, and the project are in the main domain.

What did you think of the idea?

~JC
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.