dknighton Posted March 15, 2007 Share Posted March 15, 2007 I inherited web sites where folders contain both .php files and uploaded files (.pdf, .doc, etc). Not surprisingly, my users can navigate directly to the uploaded files and bypass any security--all uploaded files must be served by a .php file for security reasons. All files are owned by Apache. I can move the uploaded files to folders outside the web tree, but how will those be served? I haven't hit on the right combination of .htaccess (I've been using WebMin), or anything else. Please help. Thanks. Quote Link to comment Share on other sites More sharing options...
R_P Posted March 16, 2007 Share Posted March 16, 2007 The key search words (if I understand the question correctly) relate to hot-linking and bandwidth theft - basically keeping users from directly access files from a web folder. It can also act to secure those files (for the most part). From apache.blog-city.com: You can create or edit you .htaccess file and add: RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F] The first line signals Apache to turn on the Rewrite engine. Line two matches any requests from your own mysite.com url. The [NC] code means "No Case", meaning match the url regardless of being in upper or lower case letters. The third line means allow empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png (you can replace these with your own file types). This will return a 403 Forbidden error. The premise is that any user who accesses those files must be referred by your website (.php page) or it will deny access to the files. Hope this helps. Good Luck, Ryan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.