.htaccess is still allowing access to files

Question

If I want to prevent a random user from using the URL to browse to a web file, I need to use an .htaccess file.

I have added my code below. I have created an .htaccess file and placed it within my include folder to prevent users from navigating to and reading my database.php file.

Following the instructions found here: https://www.plothost.com/kb/how-to-deny-access-to-a-specific-file-on-your-site-via-htaccess/

Of course I made some slight alterations.

Here is the code in my .htaccess file:

<files database.php>
Order Allow,Deny
Deny from all
</files>

Using the above, I am still able to URL right to the database.php file. I need to prevent this from happening.

What am I doing wrong?

https://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file check this — Avinash Dalvi, Jul 02 '20 at 18:39
@aviboy2006 - I attempted the top two answers on that page. I can still URL right to the folder using the first answer. The second one, although does seem to work, but when going back to the index.php, the database seems to be disconnected. — John Beasley, Jul 02 '20 at 18:44
@JohnBeasley Please let me know if my solution worked for you. — F. Müller, Jul 06 '20 at 01:49

F. Müller · Accepted Answer · 2020-07-02T20:27:29.190

Please check the following:

Make sure, your .htaccess file is really called ".htaccess"
The .htaccess file must be in the correct directory ~~or the path of the file must be relative to the .htaccess file.~~

I just ran this on my machine. The same code you have used. My structure:

The files are identical. I commented out the content in the .htaccess file in the root dir. So now I can call localhost:8080/database.php but not localhost:8080/test/database.php => I get an Error 403 (access denied).

EDIT

How about this guide here? setup htaccess

Looks legit. This is my config. According to the guide, it is just about setting up this config file and restart.

EDIT 2

I found out, that the httpd.conf I had opened is not the correct one. I found the correct one under: Application/XAMPP/xamppfiles/etc/httpd.conf.

In this file you have to search for:

# 
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/Applications/XAMPP/xamppfiles/htdocs"
<Directory "/Applications/XAMPP/xamppfiles/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/trunk/mod/core.html#options
    # for more information.
    #
    #Options Indexes FollowSymLinks
    # XAMPP
    Options Indexes FollowSymLinks ExecCGI Includes

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    #AllowOverride None
    # since XAMPP 1.4:
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

Here you find this:

#AllowOverride None  # this does deactivate .htaccess
# since XAMPP 1.4:
AllowOverride All    # this does activate .htaccess

At least for me this was solely responsible for the .htaccess rewrite. When I set it to AllowOverride None the .htaccess is completely ignored.

I have my .htaccess file in my include folder. The only 2 files in my include folder are database.php and .htaccess (with the code I listed above), but I am still able to URL right to the file. Thoughts? — John Beasley, Jul 02 '20 at 19:15
@JohnBeasley try moving the .htaccess to your root directory I will check the part with the include folder ... hang on. — F. Müller, Jul 02 '20 at 19:19
Try to put `Order Allow,Deny` (newline) `Deny from all` in the .htaccess (just remove the files tag) and see what happens. — F. Müller, Jul 02 '20 at 19:28
I do appreciate your help, but it's just not working. This is the part where I'll be rethinking my career path. — John Beasley, Jul 02 '20 at 19:37
@JohnBeasley Haha. Don't worry. Well at least you have found out the .htaccess must be enabled in the apache config. This is why your solution does not work. I assumed you use something like xampp oder lamp? I just did that on windows and iOS and I never had to configure anything really. What is your setup btw? — F. Müller, Jul 02 '20 at 19:48

score 1 · Answer 2 · answered Jul 02 '20 at 19:21

1

You may do this using a mod_rewrite rule in site root .htaccess:

RewriteEngine On

RewriteCond %{THE_REQUEST} /database\.php[?\s/] [NC]
RewriteRule ^ - [F]

answered Jul 02 '20 at 19:21

anubhava

761,203
64
569
643

1

You should comment out your complete ` – anubhava Jul 02 '20 at 19:22
Still no luck. I can still URL right to the file. Thoughts? – John Beasley Jul 02 '20 at 19:23
Interesting... I am not getting any 500 error. I guess that means .htaccess is not enabled? – John Beasley Jul 02 '20 at 19:26
So how do I enable .htaccess? – John Beasley Jul 02 '20 at 19:28
1

It varies by OS and Apache installation. Please search by that on Google – anubhava Jul 02 '20 at 19:30
1

Thank you for your help. – John Beasley Jul 02 '20 at 19:32

.htaccess is still allowing access to files

2 Answers2