We help IT Professionals succeed at work.

htaccess preventing file upload.

kadin asked
Last Modified: 2014-08-14
I am using Apache with folder permissions 755.
I am having trouble understanding if this is working. I am trying to allow image files to be uploaded to content folder and prevent the upload of non-image files such as those with a .php extension. I try both of the codes below but they don't stop php files from being uploaded. My content folder is now inside my root directory. Yesterday my content folder was outside of root directory and the php files could not upload or at leased they were not visible.

1. Do I have this wrong, is the purpose of the code below not to prevent upload but instead to prevent execution of php or other unwanted file types?

2. Do I place this inside the same folder images are in or the parent folder to that. (content/images)?

3. Do I have to restart Apache each time I replace a htaccess file to get the htaccess file to work?

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all

ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png)$">
    ForceType none
    Header unset Content-Disposition
Header set X-Content-Type-Options nosniff

Open in new window

Watch Question

Expert of the Year 2014
Top Expert 2014
This one is on us!
(Get your first solution completely free - no credit card required)


It sounds like your saying it doesn't prevent the php or non-image file from being uploaded. Just stops the execution of it. Is that correct?

I guess then to test this I will have to upload a php file that has code in it that will do something when executed.
Expert of the Year 2014
Top Expert 2014



Thanks again.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.