Unfortunately with a product I rolled out, blackhatters found they could access an unprotected directory where I had the zip files. I use PHP to serve up those zips with readfile(), so normally in my application people do not get to those files by URL. So, to head off the problem, I dropped a blank index.php file in that directory. Trouble is, people who read in the forums what the actual zip file names are can download it by simply typing the URL, and unfortunately my product delivery system is complex and won't let me change the name of that URL.
How do I create an .htaccess file in that directory such that people can't download anything out of it by URL, yet allow my PHP readfile() code to continue to serve up that file with a force dodwnload? Even if you're only guessing -- I'm taking any suggestions at this point. I'll keep trying until I find something here that works.
Again, I just need to block direct browser access to specific zip file URLs that people read about in a forum. I think the PHP readfile() code, which runs through the file system rather than the web access, will continue to work just fine.
If you're using
readfile(), you can put the files anywhere outside the htdocs directory, and access them by php there (make sure it's readable by the (php) user.Or (if you must have them there) you can add a
.htaccesswith:which will deny access (through a browser) to all, but php (as a service run locally) can still access it via
readfile().