NYCPHP Meetup

[nycphp-talk] htaccess & php

Michele Waldman mmwaldman at nyc.rr.com
Fri Nov 28 16:34:36 EST 2008


This seems to work.

 

ErrorDocument 403 /missing.html

ErrorDocument 404 /missing.html

ErrorDocument 500 /missing.html

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .type1(.+)?\.php(.+)?$ - [F,NC,L]

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .file1\.php(.+)?$ - [F,NC,L]

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .*\.(jpe?g|gif|bmp|png)$ image/nolink.jpg [NC,L]

 

Apparently, you can only have one rule after defining the conditions.

 

Is this right?

 

Now this doesn't stop them from inserting into the stream?

 

Nor, does it prevent direct http call from the browser, but it does prevent,
I believe, embedding the files and trying to make direct function calls from
code.

 

Thoughts?

 

Michele

 

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Michele Waldman
Sent: Friday, November 28, 2008 3:26 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] htaccess & php

 

I'm getting closer.

 

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /img/nolink.jpg [L]

RewriteRule .type1(.+)?\.php(.+)?$ stub.php [L]

RewriteRule .file1\.php(.+)?$ stub.php [L]

 

These rules prevent my domain from calling the modules.

 

The html uses    src="../../type1.php?arg1=blah" and

                        Src="../../file1.php"

 

I want my code and my code only to be able to use these modules.

 

Michele

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Michele Waldman
Sent: Friday, November 28, 2008 3:03 PM
To: 'NYPHP Talk'
Subject: [nycphp-talk] htaccess & php

 

This is not working for me

 

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /image/nolink.jpg [L]

RewriteRule .file1\.php(\?*)?$ stub.php [L]

RewriteRule .type1_*\.php(\?*)?$ stub.php [L]

 

All of the php files are referred to in the html as:

 

Src="../../file1.php"  or

 

Src="../../type1_file2.php?arg1=blah

 

In the case of file1, I'm just getting the stub.php

 

In the case of type1_file2.php the file is being call.  I think because my
string didn't match.

 

I'm trying to lock out remote call to the php files.

 

Michele

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081128/c52ca413/attachment.html>


More information about the talk mailing list