Prevent execution of downloaded php files?

Question

Prevent execution of downloaded php files?

In my project, users are allowed to upload files of any type. I need to provide protection against the execution of downloaded files that can be processed by php (* .php, * .html, etc.)

Is there a way to tell apache not to parse php files in web / uploads and just display them as plain text? What are the other options?

+5

php .htaccess apache2

Jiamid May 04 '11 at 15:11

source share

3 answers

Apache SetHandler: http://httpd.apache.org/docs/current/mod/core.html#sethandler

. , - :

<Location /web/uploads>
SetHandler None
</Location>

, .

+2

Femi 04 '11 15:19

Why not just rename the file extensions when downloading to .phps?

To clarify PHPS, this is the source code for the PHP file:

To clarify:

file.php => file.phps

Google quick example:

http://filext.com/file-extension/PHPS

0

Jakub May 04 '11 at 15:13

source share

Kaivosukeltaja · Accepted Answer · 2011-05-04T15:17:06+0000

Keep them in one folder and set this line in the directory .htaccess:

php_flag engine off

It will also take care of other exploits, such as embedding PHP code in .gif files.

Prevent execution of downloaded php files?

More articles: