Hi, I was wondering if it is possible to allow a php file to load code from an external file and still prevent users from accessing the external files directly, that is, deny them access when they type ww.myhomepage.com/myexternalfiles/file.ext

Maybe together with .htaccess?

I think you can use include (http://php.net/include) to include external files; just make sure there is not output on the file by itself on the remote server.

Remote file, named remote.php:


<?php
if(!isset(REMOTEACCESS)){
die("You cannot access this file directly.");
}

# ... other code/processing here
?>


Then, where you're calling the file, use something like...


<?php
DEFINE('REMOTEACCESS', '1');
include("http://www.remote.server/dir/remote.php");
?>

Use the <Files> configuration item in Apache:

From the standard httpd.conf:

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


Notice that this does a comparison of the file's name against a "regular expression." If you want to write a rule based on the file's extension, you probably want something like:


<Files ~ "\.ext$">
Order allow,deny
Deny from all
</Files>


The "$" at the end marks the end of a string. So this matches any file whose name ends in ".ext".

See http://httpd.apache.org/docs/mod/core.html#files for more details.

I believe you can simply put the included file in a non-web-accessible directory:

include "/home/myself/includes/somefile.php";

NogDog, that would only work if both domains were on the same host.

Edit: I misread the original post thinking the user was trying to connect and retrieve PHP code from a remote host. Apologies.

Jona, so that means your suggestion won't work?

Yuna, I'm quite new to server techniques etc. Do I need to contact my hosting provider for this or can I normally set the httpd.conf file myself (through my hosting account)?

Thanks for trying to help me out.

You can create a .htaccess file in any directory and it will affect that directory specifically in the same way as Yuna described. What I suggested will work, but the other solutions presented may be more practical.

I tried some of your suggestions, but either I'm doing it the wrong way or my question was not clear enough (the latter is very likely).

Trying to make use of your examples, still, when my index page loads, it requires me to enter username and password, otherwise the external files won't load the way the should. I want to avoid this.

When I posted this thread I forgot to add that what I want is to allow the index file to load code from an external file WITHOUT needing to fill out username and password (as if the code in the external file was embedded in the index file), and still be able to deny users direct access to the external file by prompting them for username and password if they try to access it directly by entering the full path, e.g. ww.myhomepage.com/myexternalfiles/file.ext

Sorry for having explained it so poorely to you !

So you want to do validation based on URI request?


<?php
# This is your external file.
if($_SERVER["REQUEST_URI"] == "/myexternalfiles/file.ext"){
requireLogin();
# or some function that makes
# them have to login
} else {
# ... whatever you want the
# script to do, without
# having to login
}
?>