Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Prevent php scripts running via .htaccess and AddHandler

Posted on 2004-11-25
Medium Priority
Last Modified: 2008-03-04
I need to offer FTP access to a subdirectory to a select few clients.

This will be just to share .doc and .pdf files, but it needs to be accessible from the web... and hence I want to safeguard against potential misuse (although the clients are 100% trustworthy, you never know !!!)

I think there is a way to have an .htaccess file which sets the type of a .php file to null or something, so it can't run even if it's there... Is this using AddHandler ???

Anyway, despite searching EE and the web, I can't find the syntax to make an .htaccess file which will render .php or other script files useless in this particular subdirectory - any ideas ???

Many thanks

Question by:milkmon123

Expert Comment

ID: 12678050
Well, I am not an expert on .htaccess, but I would asume you could use mod_rewrite to re-write any url with .php to some other HTML file saying "php disabled" or someting.

LVL 27

Accepted Solution

Diablo84 earned 1000 total points
ID: 12678334
I suppose you could also just prevent access for php extensions, with the following anything with .php will result in a 403 Forbidden error so php scripts can be uploaded but not run on your server.

<Files "*.php">
Order Allow,Deny
Deny from all

Expert Comment

ID: 12678997
If you are using PHP as an Apache module, you can put the following line in your .htaccess file:
php_flag engine off

If that doesn't work, make sure you have set "AllowOverride Options" or "AllowOverride All" privileges for the directory that contains the .htaccess file.

Author Comment

ID: 12679136
Thanks Diablo - you got me on the right track !!!

This is the one I used in the end...

<FilesMatch "\.(gif|jpe?g|png|php3?)$">
Order Allow,Deny
Deny from all

(In earlier apache versions you could use <Files ~ "expression">)

Many thanks for your help and quick response.
LVL 27

Expert Comment

ID: 12680989
no problem :)

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
The viewer will learn how to dynamically set the form action using jQuery.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
Suggested Courses
Course of the Month15 days, 13 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question