Best IT Recipes

Disable PHP in a directory (including all subdirectories) using .htaccess

I am creating a website that allows people to upload files, html pages, etc. Now I have a problem. I have a directory structure like this:

-/USERS -/DEMO1 -/DEMO2 -/DEMO3 -/etc... (every user has his own direcory here) -index.php -control_panel.php -.htaccess

Now I want to disable PHP, but enable Server-side includes in directories and subdirectories inside / USERS

Can this be done (and how :))? Thanks in advance.

By the way, I'm using a WAMP server

+50
php apache .htaccess
Aug 13 '09 at 13:20
source share
8 answers

Try disabling the engine parameter in the .htaccess file:

 php_flag engine off
+98
Aug 13 '09 at 13:46
source share
β€” -

To disable all access to sub dirs (secure), use:

 <Directory full-path-to/USERS> Order Deny,Allow Deny from All </Directory>

If you want to block only PHP files directly, follow these steps:

1 - Make sure you know which file extensions the server recognizes as PHP (and does not allow people to override htaccess). On one of my servers the value is set:

 # Example of existing recognized extenstions: AddType application/x-httpd-php .php .phtml .php3

2 - Based on extensions, add regex to FilesMatch (or LocationMatch)

  <Directory full-path-to/USERS> <FilesMatch "(?i)\.(php|php3?|phtml)$"> Order Deny,Allow Deny from All </FilesMatch> </Directory>

Or use Location to match php files (I prefer the approach described above)

 <LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$"> Order Deny,Allow Deny from All </LocationMatch>
+37
Aug 13 '09 at 13:30
source share

If you use mod_php, you can put (either in .htaccess in / USERS, or in your httpd.conf for the USERS directory)

 RemoveHandler .php

or

 RemoveType .php

(depending on whether PHP is enabled using AddHandler or AddType)

PHP files launched from another directory can still include files in / USERS (assuming there is no open_basedir restriction) because it does not go through Apache. If the php file is accessed using apache, it will be serverd like plain text.

Edit

Lance Rush's decision to simply deny file access is probably better

+9
Aug 13 '09 at 13:25
source share

This will display the source code instead of executing it:

 <VirtualHost *> ServerName sourcecode.testserver.me DocumentRoot /var/www/example AddType text/plain php </VirtualHost>

I used it once so that another employee could read access to the source code from the local network (just a quick and dirty alternative).

WARNING! :

As Dan once remarked, this method should never be used in production. Follow the accepted answer as it blocks any attempt to execute or display php files.

If you want users to share php files (and let others display the source code), there are better ways to do this, such as git, wiki, etc.

This method should be avoided! (you have been warned, leave it here for educational purposes)

+7
Dec 14 '09 at 2:24
source share
 <Directory /your/directorypath/> php_admin_value engine Off </Directory>
+7
Feb 18 '14 at 22:02
source share

This may be redundant - but be careful that your PHP file extension is .php - that if someone comes later and adds handlers for .php4 or even .html , that’s why they are processed by PHP. You might be better off not serving files from these directories from another Apache instance or anything else that only serves static content.

+1
Aug 13 '09 at 13:36
source share

None of these answers work for me (generates a 500 error or does nothing). This is probably due to the fact that I work on a hosted server, where I can not access the Apache configuration.

But it worked for me:

RewriteRule ^.*\.php$ - [F,L]

A 403 Forbidden error will be generated on this line for any URL ending in .php and ending in this subdirectory.

@Oussama leads me in the right direction here , thanks to him.

0
Nov 06 '17 at 14:20
source share

Try the following:

  <FilesMatch "\.((php[0-9]?)|p?html?|pl|sh|java|cpp|c|h|js|rc)$"> SetHandler None </FilesMatch>
-2
Aug 01 '13 at 20:16
source share


More articles:


All Articles