.htaccess code to protect a single URL? - .htaccess

Is it possible to protect a single URL through .htaccess? For example I will have website.com/index.php?skin=name. Can I password protect only this url? (with no PHP changes, only .htaccess)
website.com/index.php or website.com/index.php?skin=other_name should not be restricted.


You can rewrite the address to protect it like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/index\.php$
RewriteCond %{QUERY_STRING} ^skin=(name)$
RewriteRule ^(.*)$ /skin/%1 [PT]
<LocationMatch "/skin/name">
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /path/to/passwords
Require valid-user
</LocationMatch>


You can if you use mod-rewrite to rewrite the address to something else and protect that.
https://serverfault.com/questions/94964/apache-locationmatch-directive
You can't use LocationMatch, even though it would appear that you could.


Your best bet is to do it in PHP. A quick google search later and I found a great way to use PHP_AUTH which looks a lot like the .HTACCESS login prompt
<?php
$login_successful = false;
// check user & pwd:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
$usr = $_SERVER['PHP_AUTH_USER'];
$pwd = $_SERVER['PHP_AUTH_PW'];
if ($usr == 'jonas' && $pwd == 'secret'){
$login_successful = true;
}
}
// login ok?
if (!$login_successful){
// send 401 headers:
// realm="something" will be shown in the login box
header('WWW-Authenticate: Basic realm="Secret page"');
header('HTTP/1.0 401 Unauthorized');
print "Login failed!\n";
}
else {
// show secret page:
print 'you reached the secret page!';
}
Source: http://snippets.dzone.com/posts/show/2006

Related

how do i display the user nickname instead of the ID on the page profile [duplicate]

Normally, the practice or very old way of displaying some profile page is like this:
www.domain.com/profile.php?u=12345
where u=12345 is the user id.
In recent years, I found some website with very nice urls like:
www.domain.com/profile/12345
How do I do this in PHP?
Just as a wild guess, is it something to do with the .htaccess file? Can you give me more tips or some sample code on how to write the .htaccess file?

According to this article, you want a mod_rewrite (placed in an .htaccess file) rule that looks something like this:
RewriteEngine on
RewriteRule ^/news/([0-9]+)\.html /news.php?news_id=$1
And this maps requests from
/news.php?news_id=63
to
/news/63.html
Another possibility is doing it with forcetype, which forces anything down a particular path to use php to eval the content. So, in your .htaccess file, put the following:
<Files news>
ForceType application/x-httpd-php
</Files>
And then the index.php can take action based on the $_SERVER['PATH_INFO'] variable:
<?php
echo $_SERVER['PATH_INFO'];
// outputs '/63.html'
?>

I recently used the following in an application that is working well for my needs.
.htaccess
<IfModule mod_rewrite.c>
# enable rewrite engine
RewriteEngine On
# if requested url does not exist pass it as path info to index.php
RewriteRule ^$ index.php?/ [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php?/$1 [QSA,L]
</IfModule>
index.php
foreach (explode ("/", $_SERVER['REQUEST_URI']) as $part)
{
// Figure out what you want to do with the URL parts.
}

I try to explain this problem step by step in following example.
0) Question
I try to ask you like this :
i want to open page like facebook profile www.facebook.com/kaila.piyush
it get id from url and parse it to profile.php file and return featch data from database and show user to his profile
normally when we develope any website its link look like
www.website.com/profile.php?id=username
example.com/weblog/index.php?y=2000&m=11&d=23&id=5678
now we update with new style not rewrite we use www.website.com/username or example.com/weblog/2000/11/23/5678 as permalink
http://example.com/profile/userid (get a profile by the ID)
http://example.com/profile/username (get a profile by the username)
http://example.com/myprofile (get the profile of the currently logged-in user)
1) .htaccess
Create a .htaccess file in the root folder or update the existing one :
Options +FollowSymLinks
# Turn on the RewriteEngine
RewriteEngine On
# Rules
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php
What does that do ?
If the request is for a real directory or file (one that exists on the server), index.php isn't served, else every url is redirected to index.php.
2) index.php
Now, we want to know what action to trigger, so we need to read the URL :
In index.php :
// index.php
// This is necessary when index.php is not in the root folder, but in some subfolder...
// We compare $requestURL and $scriptName to remove the inappropriate values
$requestURI = explode(‘/’, $_SERVER[‘REQUEST_URI’]);
$scriptName = explode(‘/’,$_SERVER[‘SCRIPT_NAME’]);
for ($i= 0; $i < sizeof($scriptName); $i++)
{
if ($requestURI[$i] == $scriptName[$i])
{
unset($requestURI[$i]);
}
}
$command = array_values($requestURI);
With the url http://example.com/profile/19837, $command would contain :
$command = array(
[0] => 'profile',
[1] => 19837,
[2] => ,
)
Now, we have to dispatch the URLs. We add this in the index.php :
// index.php
require_once("profile.php"); // We need this file
switch($command[0])
{
case ‘profile’ :
// We run the profile function from the profile.php file.
profile($command([1]);
break;
case ‘myprofile’ :
// We run the myProfile function from the profile.php file.
myProfile();
break;
default:
// Wrong page ! You could also redirect to your custom 404 page.
echo "404 Error : wrong page.";
break;
}
2) profile.php
Now in the profile.php file, we should have something like this :
// profile.php
function profile($chars)
{
// We check if $chars is an Integer (ie. an ID) or a String (ie. a potential username)
if (is_int($chars)) {
$id = $chars;
// Do the SQL to get the $user from his ID
// ........
} else {
$username = mysqli_real_escape_string($char);
// Do the SQL to get the $user from his username
// ...........
}
// Render your view with the $user variable
// .........
}
function myProfile()
{
// Get the currently logged-in user ID from the session :
$id = ....
// Run the above function :
profile($id);
}

Simple way to do this. Try this code. Put code in your htaccess file:
Options +FollowSymLinks
RewriteEngine on
RewriteRule profile/(.*)/ profile.php?u=$1
RewriteRule profile/(.*) profile.php?u=$1
It will create this type pretty URL:
http://www.domain.com/profile/12345/
For more htaccess Pretty URL:http://www.webconfs.com/url-rewriting-tool.php

It's actually not PHP, it's apache using mod_rewrite. What happens is the person requests the link, www.example.com/profile/12345 and then apache chops it up using a rewrite rule making it look like this, www.example.com/profile.php?u=12345, to the server. You can find more here: Rewrite Guide

ModRewrite is not the only answer. You could also use Options +MultiViews in .htaccess and then check $_SERVER REQUEST_URI to find everything that is in URL.

There are lots of different ways to do this. One way is to use the RewriteRule techniques mentioned earlier to mask query string values.
One of the ways I really like is if you use the front controller pattern, you can also use urls like http://yoursite.com/index.php/path/to/your/page/here and parse the value of $_SERVER['REQUEST_URI'].
You can easily extract the /path/to/your/page/here bit with the following bit of code:
$route = substr($_SERVER['REQUEST_URI'], strlen($_SERVER['SCRIPT_NAME']));
From there, you can parse it however you please, but for pete's sake make sure you sanitise it ;)

It looks like you are talking about a RESTful webservice.
http://en.wikipedia.org/wiki/Representational_State_Transfer
The .htaccess file does rewrite all URIs to point to one controller, but that is more detailed then you want to get at this point. You may want to look at Recess
It's a RESTful framework all in PHP

Is it possible to do http://www.something.domainname.com where something could be a variable?

I would like for any user come to redirect to their page on my site after they login with .htaccess.
For example, "username" login and redirects to:
http://www.username.domainname.com
That will be handled internally like this:
http://www.domainname.com/users.php?user=username

Yes it is by doing a redirect.
If you are writing in PHP, you can do this:
<?php
$username = $_GET["user"]; // Note that this is user input (which could be malicious)
header("Location: http://www.{$username}.domainname.com/");
?>
But, as you have not specified a language, that is just one example. You can easily search for how to do a redirect in whatever framework you are using and there should be good examples.
If you want to go the other way, try a URL Rewrite.
Here's a very basic one that should work:
RewriteCond %{HTTP_HOST} ^www\.([^.]+)\.domainname\.com$
RewriteRule ^.*$ http://www.domainname.com/users.php?user=%1 [L,R]
The rule looks for any request that matches www.(something other than .).domainname.com and sends back a redirect request for http://www.domainname.com/users.php?user=(something other than .)

Mod Rewrite SEO urls and R=301

I want my URL to look like as following and also inform search engines the URL has permanently changed.
www.example/shop/12/title
I achieved this by using the following
RewriteRule ^shop/([^/]*)/([^/]*)$ /shop.php?prod=$1 [L]
but, I'm stuck on the Permanent Redirect URL.
When I try the following
RewriteRule ^shop/([^/]*)/([^/]*)$ /shop.php?prod=$1 [R=301,L]
Links like www.example/shop/12/title are redirected to www.example/shop.php?prod=12
This should stay as the seo friendly link.
Any Help?

Since your new urls contain a title that is not in your original 'ugly' urls, you cannot redirect from within mod_rewrite. It is not possible to summon information from thin air in mod_rewrite.
The best you can do is adding the following in the top of shop.php:
if( strpos( $_SERVER['REQUEST_URI'], "shop.php" ) !== FALSE ) {
$id = $_GET['prod'];
$title = getTitleById( $id );
header( "Location: /shop/{$id}/{$title}", TRUE, 301 );
exit();
}

Selecting for special characters with rewriterule in htaccess file

I made a little mistake (I started a new php call within an existing php call - oops) and managed to have google start crawling a whole bunch of urls that look like this:
http://www.mydomain.com/folder/parameter/%3C/?php%20echo%20writelink();%20?%3E
I've fixed the sourcing call, but my attempts to have .htaccess rewite the page calls to
http://www.mydomain.com/folder/parameter/
have been unsuccessful.
I have tried the following:
RewriteRule ^folder/(.*)/(.*)%(.*) /folder/$1/ [NE,R=301,L]
RewriteRule ^folder/(.*)/(.*)3C/?php /folder/$1/ [R=301,L]
RewriteRule ^folder/(.*)/(.*)writelink /folder/$1/ [R=301,L]
RewriteRule ^folder/(.*)/([^/.]+)writelink /folder/$1/ [R=301,L]
But all of them are returning the same 403.
I have the test rewriterule as the first rewriterule in the file, so it isnt being usurped by something else.
(For reference, the correct rewriterule when I havent mucked up the page is
RewriteRule ^folder/(.*)/$ /content/element.php?param=$1 [L]
)
I've had problems with %ages in the path before but this time I've decided to defeat it - any suggestions?

Your URL is something like this:
http://www.mydomain.com/folder/parameter/</?php echo writelink(); ?> whithout the encoding.
The 304 code does not really indicate an error, it indicates the resource for the requested URL has not changed since last accessed or cached. Clear your brower's cache and make sure it is cleared.
The error should be 403 (Forbidden) because of the initial character < (%3C).
These errors make any rewrite rule at .htaccess useless. One way to handle this kind of problem is with a script.
EXAMPLE
Add these lines to your .htaccess file at root directory:
Options +FollowSymlinks -MultiViews
ErrorDocument 403 /Error403.php
Create Error403.php at root directory with a content similar to this one:
<?php
// The following lines should be at the top of the file
/**************Only for Debugging**********************/
echo $_SERVER[ 'REDIRECT_QUERY_STRING' ] . "<br /><br />";
echo var_dump($_REQUEST) . "<br /><br />";
/*=====================================================
NOTE: A Header error might be generated while the above
code is active. Use it only to display the incoming
parameters and delete it for normal operation.
*******************************************************/
if ( isset ( $_SERVER[ 'REDIRECT_QUERY_STRING' ] ) ) {
$QueryString = $_SERVER[ 'REDIRECT_QUERY_STRING' ]; // The query looks like this: php%20echo%20writelink();%20?%3E
// Check if it is the wrong URL
if ( preg_match( '|php%20echo%20writelink()|i', $QueryString ) ) {
header("Location: http://www.mydomain.com/folder/parameter/");
}
}
// Handle other errors
?>
In this specific case we take advantage of the fact that the string contains a question mark ?, that makes it look like a query. So we try to match the query content with preg_match().
That should do it. Modify the links accordingly if necessary, this is just an example on how to do it.

.htaccess and filtering $_GET

Hello I am writing a profile page script, in this script I check the value of an incoming $_GET variable and validate that it is an integer, I then validate this value against a $_SESSION value to confirm that they can only access their own accounts. The code looks like this:
// validate $_GET field
if(isset($_GET['identity']) && filter_var($_GET['identity'], FILTER_VALIDATE_INT, array('min_range' => 1))) {
if(isset($_SESSION['user_identity']) && ((int)$_SESSION['user_identity'] === (int)$_GET['identity'])) { // if session exists and is === $_GET['identity']
// Proceed with code
This works fine for instance if I try to pass '0','2-2','abc' or no value as the $_GET value the query correctly fails and redirects them to the home page.
What I then tried to do was alter my .htaccess file to map the URLs to 'profile/1' just to tidy it up.
RewriteRule ^profile$ profile.php
RewriteRule ^profile/([0-9]+)$ profile.php?identity=$1 [NC,L]
What I found now is that the page doesn't redirect any more using those invalid $_GET parameters above. It just tries to find 'profile/abc.
Does anyone know why?

I use this and it works for me:
RewriteEngine On
RewriteBase /
RewriteRule ^profile$ profile.php
RewriteRule ^profile/([a-z0-9\-]+)$ profile.php?identity=$1 [NC,L,QSA]
Now, how did you get profile/abc? if you try to pass letters in the rule it wont work since you only specify numbers ([0-9]+). If you want to pass letters you will need to use:
RewriteRule ^profile/([a-z0-9\-]+)/?$ profile.php?identity=$1 [NC,L,QSA]

Resources