tonelm54
asked on
.htaccess allow only php
Im trying to write a .htaccess file which will block access to .inc files on my apache web server.
At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S
So after reading about .htaccess Ive done the following:-
Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S
What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
What am I doing wrong?
At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S
So after reading about .htaccess Ive done the following:-
<Files *.inc>
Order Deny,Allow
Deny from all
</Files>
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files *.png>
Order Deny,Allow
Deny from all
</Files>
<Files *.swg>
Order Deny,Allow
Deny from all
</Files>
Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S
What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
Order Deny,Allow
Deny from all
</Files>
What am I doing wrong?
Standard practice is what darron suggests, make it a *.php file. You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
ASKER
Ok, done that, which has worked.
What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.
You could configure your web server to use a different root directory and place the php files with passwords outside of this.
For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
include '../php/passwords.php'
but the web server will refuse to deliver
http://../php/password.php
Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
include '.passwords.php'
but the web server will not show it.
You could configure your web server to use a different root directory and place the php files with passwords outside of this.
For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
include '../php/passwords.php'
but the web server will refuse to deliver
http://../php/password.php
Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
include '.passwords.php'
but the web server will not show it.
Try this in your .htaccess file
<Files ~ "\.dat$">
Order allow,deny
Deny from all
</Files>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- you seem to deny access on all files, but i guess you noticed already
- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root
then you may want to try
<Files *.inc>
Order Deny,Allow
Deny from all
</Files>
<Files *.php>
Order Deny,Allow
Allow from all
</Files>
<Files *.png>
Order Deny,Allow
Allow from all
</Files>
<Files *.swg>
Order Deny,Allow
Allow from all
</Files>
or rather
<Files *>
Order Allow,Deny
Allow from all
</Files>
<Files *.inc>
Order Deny,Allow
Deny from all
</Files>
- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root
then you may want to try
<Files *.inc>
Order Deny,Allow
Deny from all
</Files>
<Files *.php>
Order Deny,Allow
Allow from all
</Files>
<Files *.png>
Order Deny,Allow
Allow from all
</Files>
<Files *.swg>
Order Deny,Allow
Allow from all
</Files>
or rather
<Files *>
Order Allow,Deny
Allow from all
</Files>
<Files *.inc>
Order Deny,Allow
Deny from all
</Files>
Open in new window