Slyke

Here is my code solution. I'm not sure how secure this will be (Obviously $_GET['grantaccess']=="true" is going to be changed), any comments would be appreciated: <?php error_reporting(E_ALL); ini_set('display_errors', 1); $method="http"; $domain="example.com"; $defaultMIME="text/plain"; $fileType = $defaultMIME; if ($_GET['grantaccess']=="true") { $navFile=str_replace("..", "", $_GET['torun']); $fileURL=$method . '://' . $domain . '/' . $navFile; if (file_exists($navFile)) { $finfoHandler = finfo_open(FILEINFO_MIME_TYPE); $fileType = finfo_file($finfoHandler, $navFile); finfo_close($finfoHandler); if ($fileType===FALSE) { $fileType = $defaultMIME; } header('Content-Type: '.$fileType); $fileHandle = fopen($navFile, "r"); //$fileContents = stream_get_contents($fileHandle); //Can't use a URL with fopen, it will reexecute .htaccess. $fileContents = fread($fileHandle, filesize($navFile)); fclose($fileHandle); echo $fileContents; } else { header("HTTP/1.0 404 Not Found", true, 404); echo "Not Found"; } } else { header("HTTP/1.0 403 Forbidden", true, 403); echo "Access denied"; } I only wanted to give access to sub-directories from here, not anything above / when navigating from browser. I believe Apache is Chrooted anyway when you specify the virtual host's document root in the config, but I replaced all ".." with nothing just to be sure.

It's after the request comes in that PHP needs to be executed, but before it serves any files. It needs to run before apache runs htaccess files and after the connection comes in.

Here is my updated code that now fixes the query string issue. Still can't figure out how to stop .htaccess re-executing though. <?php $method="http"; $domain="example.com"; error_reporting(E_ALL); ini_set('display_errors', 1); if ($_GET['grantaccess']=="true") { $url=$method . '://' . $domain . '/' . $_GET['torun']; unset($_GET['torun']); unset($_GET['grantaccess']); //Comment out to prevent loop if (count($_GET) >= 1) { $queryString = "?" . http_build_query($_GET); } else { $queryString = ""; } //header ( 'Location: ' . $url . $queryString); printf ( 'Location: ' . $url . $queryString); } else { echo "Access denied"; }

@CroNiX It is passing the query string into the $_GET I just realized and I can write a function to put the original query string onto the header change. @Jacques1 I'm trying to add in 2 factor git authentication using a MySQL database (for the users, passwords, serials) over HTTPS, and disable the directory from public access. Just stuck on getting it to not re-execute the .htaccess file now.

Not sure if this is the right place for this, but I need to be able to run some PHP code before anything loads up on the server. So far I have a .htaccess file with the following in it: Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteRule (.*) auth.php?torun=$1 [QSA] And in auth.php I have this: <?php $method="http"; $domain="example.com"; error_reporting(E_ALL); ini_set('display_errors', 1); if ($_GET['grantaccess']=="true") { header ( 'Location: ' . $method . '://' . $domain . '/' . $_GET['torun'] ) ; } else { echo "Access denied"; } So far it's working right up to the point where it runs header function. Once that's run there are 2 things which go wrong: It strips off the query string grantaccess=true (So that there is no query string at all). I need to have the query string left on. And the second - the most important thing, is that it re-executes the .htaccess file again (Which will cause an infinite loop if the query string is put on). I basically want to somehow disable it re-executing the .htaccess file, or make it only run once per page load/connection.