Jump to content

Execute PHP code before any files using .htaccess

Slyke

By Slyke
in PHP Coding Help

 Share

Recommended Posts

Slyke Newbie

Slyke

Posted
Posted (edited)
Not sure if this is the right place for this, but I need to be able to run some PHP code before anything loads up on the server.

So far I have a .htaccess file with the following in it:

 




Options +FollowSymLinks

RewriteEngine On

RewriteBase /

RewriteRule (.*) auth.php?torun=$1 [QSA]


 

And in auth.php I have this:

 



<?php

$method="http";

$domain="example.com";



error_reporting(E_ALL);

ini_set('display_errors', 1);



if ($_GET['grantaccess']=="true") {

  header ( 'Location: ' . $method . '://' . $domain . '/' . $_GET['torun'] ) ;

} else {

  echo "Access denied";

}

 

So far it's working right up to the point where it runs header function. Once that's run there are 2 things which go wrong:

It strips off the query string grantaccess=true (So that there is no query string at all). I need to have the query string left on.

And the second - the most important thing, is that it re-executes the .htaccess file again (Which will cause an infinite loop if the query string is put on). I basically want to somehow disable it re-executing the .htaccess file, or make it only run once per page load/connection.

Edited by Slyke
Link to comment
Share on other sites
Slyke Newbie

Slyke

Posted
  • Author
Posted (edited)

@CroNiX

It is passing the query string into the $_GET I just realized and I can write a function to put the original query string onto the header change.

 
 
@Jacques1
I'm trying to add in 2 factor git authentication using a MySQL database (for the users, passwords, serials) over HTTPS, and disable the directory from public access.
 
Just stuck on getting it to not re-execute the .htaccess file now.
Edited by Slyke
Link to comment
Share on other sites
Slyke Newbie

Slyke

Posted
  • Author
Posted

Here is my updated code that now fixes the query string issue.

 

Still can't figure out how to stop .htaccess re-executing though.

 

<?php
$method="http";
$domain="example.com";


error_reporting(E_ALL);
ini_set('display_errors', 1);


if ($_GET['grantaccess']=="true") {
  $url=$method . '://' . $domain . '/' . $_GET['torun'];
  unset($_GET['torun']);
  unset($_GET['grantaccess']); //Comment out to prevent loop
  if (count($_GET) >= 1) {
    $queryString = "?" . http_build_query($_GET);
  } else {
    $queryString = "";
  }
  //header ( 'Location: ' . $url . $queryString);
  printf ( 'Location: ' . $url . $queryString);
} else {
  echo "Access denied";
}
Link to comment
Share on other sites
jazzman1 Member

jazzman1

Posted
Posted (edited)

If the .htaccess file is your problem, then remove / rename it by using php, execute the script that you want to be executed and create / rename it again using php. This file is just a simple text file. Never try it, but it should work I think, however not sure what would happened if two or more users try to run the same script at the same time, you have to check before doing this :)

 

 

You can't do that. .htaccess is processed before anything else.

 

Using php into a shell it's like running a shell commands into the terminal. But not sure what happens if you try to run $_GET / $_POST variables into a shell.

Edited by jazzman1
Link to comment
Share on other sites
jazzman1 Member

jazzman1

Posted
Posted (edited)

.htaccess gets not-affected into files running by shell_exec using STDIN.

 

1.get_header.html

<form action="phpinfo.php">
    Name: 
    <input type="text" name="type" />
    <input type="submit" value="Go!"/>
</form>

2. phpinfo.php

<?php

if (defined('STDIN')) {
    $type = $argv[1];
} else {
    $type = $_GET['type'];
}

var_dump($type);

3. .htaccess

RewriteEngine on 
RewriteRule ^/?phpinfo.php$ http://phpfreaks.com [R=301]

4. shell_exec.php

<?php

$get= 'jazzman';

$cmd = shell_exec("php -f phpinfo.php type=".escapeshellarg($get));

echo $cmd;

So, he could achieve that with the code given above, but running php into a shell can be a challenge ;)

Edited by jazzman1
Link to comment
Share on other sites
CroNiX Member

CroNiX

Posted
Posted

.htaccess also cascades, so it will affect the dir it is in and any subdirs of that dir.  So it would also be possible to have another dir with php below the dir with .htaccess and .htaccess wont come into play for that request.

 

@jazzman1 yes, I agree .htaccess can also be bypassed via CLI. My earlier comment was directed at the OP's remark about having the request processed before .htaccess, which you can't do if accessing via a http request unless .htaccess is in a different dir.

 

Although I don't think any of these ways are really a good solution for the "git 2 factor authentication" issue. HTTP_BASIC_AUTH might be a better way to go, and you can create the htpasswd file via a php backend if it needs to be dynamic. Then they can get access by user:pass@host.com if they are authorized.

Link to comment
Share on other sites
Slyke Newbie

Slyke

Posted
  • Author
Posted
Here is my code solution. I'm not sure how secure this will be (Obviously $_GET['grantaccess']=="true" is going to be changed), any comments would be appreciated:

 




<?php



error_reporting(E_ALL);

ini_set('display_errors', 1);



$method="http";

$domain="example.com";



$defaultMIME="text/plain";



$fileType = $defaultMIME;



if ($_GET['grantaccess']=="true") {

  $navFile=str_replace("..", "", $_GET['torun']);

  $fileURL=$method . '://' . $domain . '/' . $navFile;



  if (file_exists($navFile)) {

  

    $finfoHandler = finfo_open(FILEINFO_MIME_TYPE);

    $fileType = finfo_file($finfoHandler, $navFile);

    finfo_close($finfoHandler);

    

    if ($fileType===FALSE) {

      $fileType = $defaultMIME;

    }

    

    header('Content-Type: '.$fileType);



    $fileHandle = fopen($navFile, "r");

    //$fileContents = stream_get_contents($fileHandle); //Can't use a URL with fopen, it will reexecute .htaccess.

    $fileContents = fread($fileHandle, filesize($navFile));

    fclose($fileHandle);

    

    echo $fileContents;

    

  } else {

    header("HTTP/1.0 404 Not Found", true, 404);

    echo "Not Found";

  }

  

} else {

  header("HTTP/1.0 403 Forbidden", true, 403);

  echo "Access denied";

}


 

 

 

I only wanted to give access to sub-directories from here, not anything above / when navigating from browser. I believe Apache is Chrooted anyway when you specify the virtual host's document root in the config, but I replaced all ".." with nothing just to be sure.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.