Jump to content

Recommended Posts

Hi,

 

I have a few wordpress websites that I host for my clients because of the number of attacks they have been receiving lately I have implemented a .htaccess file to block any ip address that's not in the whitelist, the problem I face is everytime the client moves from location to location or there ip address changes I have to update the .htaccess file with there new ip.

 

I'm trying to build a script where they can access a url with a key in and submit there new ip address the php script would then read the .htaccess and add the new ip, however the 'echos' in the file seem not to be echoing any information to screen and I'm faced with a blank white screen can anyone give me any ideas on how to do this or have alook at the script below I have wrote.

<?php

if (isset($_GET('key')) && $_GET('key') = '78J89ke93k93HJ883j003') {
    
    $htaccess = '.htaccess';
    
    //read the entire file
    $str = file_get_contents($htaccess);
    
    //delete deny from all from file
    $str = str_replace('deny from all', '', $str);
    
    $ip = 'allow from ' . $_get('ip'); //'allow from 92.27.111.112';
    
    $str .= $ip;
	
	//re add deny from all to end of file
    $str .= "\n" . 'deny from all';
	
    if(file_put_contents($htaccess, $str)){
		echo 'IP ' . $ip . ' Added to .htaccess file';
	}

} else {
    echo 'Invalid Key';
}

?>

Why not keep the IPs in a database. Then when a change is submitted you can just overwrite the existing file. Otherwise, you could end up with duplicates. Otherwise you would have to parse the current file to check for duplicates.

 

Anyway, there is no error handling in your current script. You should start there to check file_exists() (can PHP see the file), that it could open the file, etc.

 

EDIT: I see the problem (or at least one of them). The IF statement is checking the "variable": $_GET('key')

 

I would think that would generate an error since the "function" $_GET() does not exist.

Edited by Psycho

Try this.

<?php
 
//Verify proper key passed
if (!isset($_GET['key']) || $_GET['key'] != '78J89ke93k93HJ883j003')
{
    echo 'Invalid Key';
    exit();
}
 
//Define file to edit
$htaccess = '.htaccess';
 
//read the entire file
$contents = file_get_contents($htaccess, false);
 
//Verify that contents were read
if(!$contents)
{
    echo "Unable to read {$htaccess} file";
    exit();
}
 
//Get current IP of user
$ip = $_SERVER['REMOTE_ADDR']; //'allow from 92.27.111.112';
 
//Check if IP already exists
if(strpos($contents, $ip))
{
    echo "The IP {$ip} already exists in {$htaccess} file";
    exit();
}
 
//Add new IP to contents (assumes 'deny from all' exists in file)
$contents = str_replace('deny from all', "allow from {$ip}" . PHP_EOL . "deny from all", $contents);
 
//Replace the contents of the file
if(!file_put_contents($htaccess, $contents))
{
    echo "Error updating {$htaccess} file";
    exit();
}
 
echo "IP {$ip} added to {$htaccess} file";
 
?>

Edit: I just realized that this may not work as written. I wrote it with the intent that the script above would be accessible to any IP addresses. If you have the script in the same folder as the htaccess file, then how would the user ever be able to make a change? They would have to access the page from an IP that is not restricted. So, I would suggest hosting this page in another locaiton.

Edited by Psycho

I suspect the reason you are only seeing a blank page is because of the errors Psycho pointed out, and the fact that you have error reporting turned off. See this page for instructions on how to turn them on: http://php.net/manual/en/function.error-reporting.php

 

Obviously, in a production environment you probably want to turn error reporting off, or log them in some way so as to not show your users the errors while still being able to track them.

The whole IP submission procedure is nonsensical and insecure.

 

What you actually have there is password-based authentication, implemented in a very weird way. Whoever knows the hard-coded “key” can add their IP to the .htaccess file and gain access to the site. So why not drop the whole IP stuff and simply force the user the enter a predefined password?

 

This can be implemented with HTTP Basic Authentication. All you have to do is set up a password database (usually a file called “htpasswd”). When a user initially visits the site, they're asked for the password. After the password has been verified, it's cached for subsequent requests so that the user doesn't have to repeat it.

 

It's also possible to implement passwordless authentication using public-key cryptography, but this might be too advanced for your case.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.