Block direct access to a file over http but allow php script access

Question

I m loading my files  pdf  doc  flv  etc  into a buffer and serving them to my users with a script   I need my script to be able to access the file but not allow direct access to it   Whats the best way to achieve this   Should I be doing something with my permissions or locking out the directory with  htaccess

User · Accepted Answer

The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.

However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,

Order deny,allow
Deny from all

Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.

User · Answer

Are the files on the same server as the PHP script  If so  just keep the files out of the web root and make sure your PHP script has read permissions for wherever they re stored

User · Answer

To prevent  ini files from web access put the following into apache2 conf   lt Files      ini   gt  Order allow deny Deny from all  lt  Files gt

User · Answer

in httpd conf to block browser  amp  wget access to include files especially say db inc or config inc   Note you cannot chain file types in the directive instead create multiple file directives     lt Files      inc   gt  Order allow deny Deny from all  lt  Files gt    to test your config before restarting apache  service httpd configtest   then  graceful restart   service httpd graceful

User · Answer

That is how I prevented direct access from URL to my ini files  Paste the following code in  htaccess file on root   no need to create extra folder    lt Files      ini   gt    Order allow deny   Deny from all  lt  Files gt    my settings ini file is on the root  and without this code is accessible www mydomain com settings ini

User · Answer

If you have access to you httpd conf file  in ubuntu it is in the  etc apache2 directory   you should add the same lines that you would to the  htaccess file in the specific directory   That is  for example    ServerName YOURSERVERNAMEHERE  lt Directory  var www  gt  AllowOverride None order deny allow Options -Indexes FollowSymLinks  lt  Directory gt    Do this for every directory that you want to control the information  and you will have one file in one spot to manage all access   It the example above  I did it for the root directory   var www   This option may not be available with outsourced hosting  especially shared hosting   But it is a better option than adding many  htaccess files

User · Answer

How about custom module based  htaccess script  like its used in CodeIgniter    I tried and it worked good in CodeIgniter apps  Any ideas to use it on other apps    lt IfModule authz core module gt      Require all denied  lt  IfModule gt   lt IfModule  authz core module gt      Deny from all  lt  IfModule gt

[php] Block direct access to a file over http but allow php script access

Examples related to php

Examples related to apache

Examples related to permissions