Home/ Questions/Q 8374227
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T14:52:33+00:00

I have a directory containing data that should not be world-accessible until a certain

  • 0

I have a directory containing data that should not be world-accessible until a certain date.

The directory, naturally, should not be directly world-readable with a web browser. I currently solve this with .htpasswd and .htaccess.

However, there is a world-readable .php file one directory level up. The PHP file, based on the date, conditionally generates basic HTML tags (e.g., <img .../>) that read from the protected directory.

Unfortunately, in my tests, the .php file requires authentication to load the data. My question is whether I’m trying to do something fundamentally impossible, or whether I can tweak it to make it work. Also, if it is possible, are there any additional issues (security or otherwise) that I should know about?

Additional information:

  • If possible, I would prefer not to use Javascript.
  • PHP 5.3 is available.
  • Any other ideas for a solution (I already thought of a cron-job, which I might yet do)?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m guessing a problem you might have is if you try to output <img src="protected.jpg" /> even from an unprotected php file, you’ll be able to show the HTML but NOT the image file itself.

    If i understand correctly what you’re trying to do, you need either :

    • to write some kind of proxy script in PHP, in order to control access to each file (this is a bit tedious and requires generating the right headers + mime types).
    • to control access directly from .htaccess using time/date conditions, which might be your best option. see there : http://www.askapache.com/htaccess/time_hour-rewritecond-time.html

    Edit : proxy example : i can’t seem to find an example online so this is a function i often use when i wish to control access to a file from PHP (for instance this can be sensitive data whose access needs to be verified from $_SESSION or DB values) :

    function send_binary_data($path, $mimetype, $filename = null){

    @ob_clean();

    if($filename === null) $filename = basename($path);
    $size = filesize($path);

    //no-cache
    header('Cache-Control: no-cache, must-revalidate, public');
    header('Pragma: no-cache');

    //binary file
    header('Content-Transfer-Encoding: binary');

        //mimetype
    header('Content-Type: ' . $mimetype);
    header('Content-Length: ' . $size);
    header('Content-Disposition: inline; filename=' . $filename);
    header('Content-Description: ' . $filename);

    $chunksize = 1 * (1024 * 1024);
    $buffer = '';
    $handle = fopen($path, 'rb');

    if ($handle === false) {
        return false;
    }

    while (!feof($handle)) {
        $buffer = fread($handle, $chunksize);
        print $buffer;
    }

    $result = fclose($handle);
    unset($handle);
    $handle = null;

    die();

}

    Of course you still need to restrict direct access from .htaccess but in case of a proxy you’ll redirect all requests to your unprotected proxy script, like this :

    RewriteEngine ON
RewriteRule ^(.*)$ /proxy.php?file=$1 [NC,QSA]

    And proxy.php would contain something like :

    if(!isset($_GET['file'])) die('file not set');
$file = $_GET['file'];

//perform all your custom checking, including security checks due to retrieving data from $_GET, and if access is granted :

$path = 'yourpath/'.$file;
$mimetype = 'defineregardingyour/ownrules';
send_binary_data($path, $mimetype);
    • 0