I'm thinking of using the htaccess file on my apache server to add a layer of security to the payment processing on my site. I am considering the 2 actions below, not sure how yet, but thats where the trial & error & learning begins.

  1. rewrite the url for the files that do the processing i.e. the user completes the payment form at //mydomain/forms/form.php On submit the form data is posted to //mydomain/payment/form_process.php to process the payment - connect to the payment exchange, make payment, write to Db, etc, etc. I'm hoping I can rewite //mydomain/payment/form_process.php to something like //mydomain/blank: while the processing takes place, then show a useful domain name one the process redirects to the confirmation or error page.
  2. write a rule that blocks domains other than mydomain accessing //mydomin/payments/ folder, redirecting all attempts to access this folder to either 404 or index page.

Are the above possible, and if yes, will they significantly improve the security of payments on my site? Lastly, is there anything else I should consider when manipulating the .htaccess file for this type of processing?

Many thanks.

Edited by Thorby68: important typo

3 Years
Discussion Span
Last Post by iamthwee

That's a bit of security through obscurity.

To what end are you planning on doing this?

Rewrites are good for looking professional. There is little security to it. It's basically a redirect. Even if I show you that you are posting to mysuperlockeddownphpscrupt.php you won't be able to do much to it if I code proactively (rejecting requests that don't originate from your server, making sure you sanitize data, prepare SQL, etc...). The only other way you can get burned besides SQL injection attacks that is within your control is to keep your passwords locked up and strong. If someone gets root access, all the .htaccess hackery in the world won't help you.


pretty much there are few things you can do with .htaccess file. Please read #9 on this article. While you are at it, try reading some topics that are related to your situation.


Many thanks, you've probably saved me from hours, if not days, of trying to establish complex rules that wont achieve their objective. My code is pretty secure as I only use prepared scripts, I escape all form data, and impose pretty strict data parsing rules, i.e. I know what i'm expecting - email, telephone, alpha, numerics, string lengths and ao on, so therefore do not process anything that is out of the ordinary.

My real concern is protecting the payment gateway access codes which are held in a seperate files. I suppose I'd better read up on how to reject requests that don't originate from my server, maybe look some encrypting techniques and even ways of password protecting these files. Oh and i'd better make sure my hosting service have taken strict measures to prevent root access ?

Many thanks for your input and saving me lots of head scratching. Any advice on the above or a nudge in the right direction would be gratefully appreciated.

Again thank you for the sound advice.


Fyi, you can spoof origination. It's only a stop gap. If you are worried about data, encrypt it. If you can't, let the big boys take care of it for you and use alternative methods. Most cc processors will allow everything from repeat billing to single small payments through their API, and they take care of everything you don't want any business with.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.