The problem with file protection

Libenowka · June 27, 2025, 5:40pm

http://lv.ct.ws/
So, the problem is that I need to protect two files in the decrees folder: create.php and create_process.php. We’ve tried to do something about it, but we’re getting a 500 error. The directory protection mechanism doesn’t work for me because I need to keep access to the other files in the directory open. We’ve tried moving these two files to a separate directory, but the materials they contain on other web pages in the category are using the entire category’s authorization mechanism. What should I do about it?

Greenreader9 · June 27, 2025, 5:42pm

What code did you use? Did you turn on error messaging?

I’m not sure what you mean by that, can you explain differently?

Iceables · June 27, 2025, 6:12pm

does the 500 error say any response?

Libenowka · June 27, 2025, 6:46pm

(we can replace the password anyway, and we can burn the code)
.htaccess:

<FilesMatch "(create\.php|create_process\.php)">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /path/to/.htpasswd
    Require valid-user
</FilesMatch>

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

.htpasswd:
Admin:$apr1$O.2iiLSt$ilJ7q/QzoMVEs4b7NG7pA1
About the second. In short: we had to protect from unauthorized users PHP-file, the essence of which is to insert text into another document, which does not need to be protected. Because of the fact that this code is from a protected PHP-file, the system thinks that it is necessary that these data are not seen anywhere, even if they are embedded in another document, and therefore blocks access everywhere where they are used, that is, throughout the site.

Libenowka · June 27, 2025, 6:47pm

No, it’s just a standard 500 error from Infinityfree. There are no error messages in the browser console.

dan3008 · June 27, 2025, 7:14pm

In your dashboard there’s an option in the php settings menu to turn on full error reporting

Admin · June 27, 2025, 7:17pm

Directory protection does what it says on the tin: it protects directories. It’s not designed to protect specific files.

I never thought of doing what you did with .htaccess rules, but it if works for you, then all is good.

Still, I would personally strongly prefer to just put the protected files in a different directory, because of how difficult complex .htaccess rules can be work with.

There are actually multiple flavors of 500 error, which have a different meanings. Which one do you see exactly?

Note that the password you shared is hashes, so it’s relatively safe to share publicly.

Maybe this is just a placeholder, but you’re supposed to specify the full path to the .htpasswd file here. If this is actually in your code, please update it with the real, correct path, or you may also see a 500 error.

Libenowka · June 27, 2025, 7:26pm

“500 Internal Server Error. Something on the website crashed! standart guide”
Thanks, we’ve take note.
Thank you, we’ve taken that into account. The path to the file (apparently) is /home/vol19_1/infinityfree.com/if0_38084455/lv.ct.ws/htdocs/decrees/.htpasswd. However, this does not solve the problem. Perhaps the path should not include the file name itself, .htpasswd?
As for password-protecting a separate directory with these files, we’ve already tried that. However, it also protects all the other files, as these two files contain content that is used in all the other files.

Libenowka · June 27, 2025, 7:28pm

We know, but she’s not doing anything.

Admin · June 28, 2025, 4:26pm

No, the AuthUserFile must actually be the location of the file, not the directory. The file being called .htpasswd is more convention than something that’s actually mandated by the server (unlike the .htaccess file, which must have that exact same).

If you want an example on what correct configuration looks like, you could create a dummy directory on your website and use the Password Protect Directory to protect it. If desired, you can transplant that content into your main .htaccess file.

I don’t fully understand what the setup looks like, but I would like to remind you that the password protection, like any other .htaccess rules, only applies to the initial request made to the server, which may then be routed to a PHP file. From within the PHP code, you are free to use include, file_get_contents() or other functions to access any other file in your website, as it completely bypasses any directory protection.

So it’s no trouble at all to have, say, some scripts that are publicly accessible in one directory, and other scripts in a protected admin directory, that use reuse the same code and data under the hood.

In other words, the password protection restrict access to scripts from the web, but doesn’t restrict what those scripts can do.

system · July 5, 2025, 4:27pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.