LAMPdocs: Linux, Apache, MySQL, PHP » htaccess Solutions

How to Enable register_globals in php using .htaccess

admin — Thu, 28 Jan 2010 08:13:12 +0000

As you should already know, register_globals is a php.ini directive that manages the way PHP deals with variables. It has been deprecated for security issues and we won’t see it in PHP 6.0. If the deprecated register_globals directive is on (removed as of PHP 6.0.0), then variables_order also configures the order the ENV, GET, POST, COOKIE and SERVER variables are populated in global scope. So for example if variables_order is set to “EGPCS”, register_globals is enabled, and both $_GET['action'] and $_POST['action'] are set, then $action will contain the value of $_POST['action'] as P comes after G in our example directive value. This is extremely insecure and it is not recommended to enable this directive.

But if you really need it (for example, you need to transfer an old-made site to your server and make it working until all the variables are changed), you may enable it using an .htaccess file. This way register_globals will be active just for one site. Here is the string you need to add to your .htaccess file:

php_value register_globals 1

I wish you to change all the variables as soon as possible, but you may use my solution until then

How To Find The Version of Linux You Are Using

admin — Thu, 12 Feb 2009 17:44:09 +0000

Sometimes you need to know what version of the Operating system is installed on your server. This is extremely useful when you order a dedicated server and want to know what is the version of OS on it. A simple command will help you as usual:

cat `ls /etc/*{-,_}{release,version} 2>/dev/null | head -n 1`

This will show you something like

The picture below shows the difference between common commands: one shown above and uname -a. Sometimes you don’t need the kernel version, just the operating system name. This command should help you to do that.

htaccess Site Redirection Without Parameters

admin — Mon, 01 Sep 2008 05:11:30 +0000

Sometimes you need to redirect all traffic from one site to another. Very often site structure is different and the need is to send visitors to the main page of the site. This makes Site Redirection tabs of all known panels unusable, as the parameters are being sent to the new site. For example, if you had www.oldsite.com/index.php?f=9 and you’ve set redirection to www.newsite.com/, you will be redirected to www.newsite.com/index.php?f=9.

Sometimes you can omit these parameters (for example, when pointing to a PHP script with at least one parameter), but most probably you won’t need this. How to hide these parameters and send your users to the main page of a new site? Here is an .htaccess solution.

We will need two files: .htaccess in the root directory of your site and a PHP file located anywhere you like. First of all we need to create an .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ http://www.site.com/redirect.php

What does this piece of code do? It redirects all requests to the server (^(.*)$) to a PHP file, that processes redirection. All the unnecessary parameters will be sent to this PHP file and it won’t transmit them further as it contains only one string:

header (“Location: http://newsite.com”);
?>

Can you see the difference? None of old site parameters are sent to the new site, everything looks clear and simple.

I think there is a smarter solution for this, I would encourage you to post it here.

How To Protect a Folder Using .htaccess From Command Line

admin — Thu, 28 Aug 2008 13:25:24 +0000

We do often meet password protected directories on the Web. This is usually used to hide some information that should not be visible to all site users. Most common is .htaccess protection, that allows you to restrict users at Apache level and is also knows as http authentification. Today I will tell you how to protect your directory using command line.

As usually we need root access to the server and need to go to the folder which is waiting to be protected. First of all we need to create an .htaccess file that should contain the information that authentification is required to access this folder. The most common sample comes below:

AuthGroupFile /dev/null
AuthName “Closed User Group”
AuthType Basic
AuthUserFile /path_to_htpasswd_file/.htpasswd
require valid-user

Usually .htaccess and .htpasswd files are located in the same folder, but you can move .htpasswd anywhere you like: you will just need to point to its absolute location in .htaccess. Then go to the directory where you’re planning to put your .htpasswd file.

Now we need to have username and password – that’s enough. The following command will create your .htpasswd file with login data so you can use it immediately.

htpasswd -bcm .htpasswd user password

You can read more about this command at Apache Site. But this command will help you to create a password file without any specific knowledge.

Please, note that .htpasswd is just the file name: you’re welcome to store your passwords in the files with any file names, but it would be better if it is started with a dot and if this file is stored in the directory that is not accessible from web.

Setting Custom Error Pages for All User Domains with .htaccess on a Directadmin Server

admin — Wed, 25 Jun 2008 18:40:35 +0000

Sometimes it is useful to use custom error pages on all user domains (In case of maintenance, new software installation, etc). It’s a pity you are unable to do it for all user domains in Directadmin, just for a single one. But htaccess comes to help us this time.

Go to /home/admin/domains (certainly, replace admin with your username) and create a .htaccess file containing the following code:

ErrorDocument 404 http://google.com

This code will be valid for all domains that are owned by this user, so you don’t need to change your custom error pages one by one.

It’s a pity Directadmin doesn’t have any options for bulk domain options, i.e. bulk domain addiction, bulk DNS modification, etc. Bulk error code setting could also be a nice feature for such a panel and hope it will be realized soon

How To Deny Directory Listing Using .htaccess

admin — Mon, 16 Jun 2008 16:15:21 +0000

Often when you’re using shared hosting, there are some problems with directory listing. Server administrators should avoid this as this represents a security hole. But what to do if you don’t have access to httpd conf and need to prevent directory listing? What to do if you have something like this:

A simple string in .htaccess file will save you. Here it is:

IndexIgnore *

In some cases the following string will also work:

Options -Indexes

One of these two solutions will lead you to showing 403 error to the user that tries to look what files are located in your directory. But let me repeat – this is a security hole and you should notify your system administrator about this issue. This is an emergency solution…

Deny Access to All IPs Except Yours .htaccess Solution

admin — Thu, 01 May 2008 06:08:38 +0000

Sometimes you need to perform any specific tasks that require nobody accesses the page while it is being edited. There may be some tests, database update or anything else. So your task is to deny access to your site from all ips except yours. Note, that all your site visitors should not be redirected anywhere, but should be shown a message that your site will be available soon, or something in this way. You need to allow access from your IP only and others should be redirected to a specific page of your site. I am going to show you 2 .htaccess solutions:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^site\.ru
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111
RewriteRule ^(.*)$ http://site.com/under_construction.html [L]

The second one is to use 403 page of your site:
Order deny,allow
Allow from 127.0.0.1 111.111.111.111
Deny from all

ErrorDocument 403 /reconstruction.html

You need to replace 111.111.111.111 with your IP and everything should be solved!

Apache: How To Deny Access To Certain File Types

admin — Mon, 21 Apr 2008 06:22:44 +0000

Sometimes we need to close access to cerain file types. We often deny directory listings and think that’s enough. But even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser. How can someone find out about the location of the private file? Well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or anything else.
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.

In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (, , and sections). In this case we will be interested in the section.
Allow/Deny Directive in

Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:

Order allow,deny Deny from all

Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny Deny from all
Similar to this we can deny access to whatever files we might need. This does not refer to folder protection, it works just for defined file types. You can protect a directory from being viewed using Directadmin Ditectory Password protection page.