Deny access to .php files apart from the server itself

Question

How can I write a .htaccess script that prevents the user from running .php files in a certain directory and it's child directories?

I would need to be able to include the php file from the servers index.php or other files though, basically I want to enable to the server to to include the php files from a certain directory but, if the user were to type in the specific URL, it would deny access.

You have something of a dichotomy in your title. The user requesting them *is the server* — , Dec 05 '13 at 06:42

score 1 · Answer 1 · edited May 23 '17 at 11:56

1

This could do the trick

<FilesMatch "\.php$">
   Deny from all
<FilesMatch>

Also, see the answers to this question: Deny direct access to all .php files except index.php

edited May 23 '17 at 11:56

Community

1
1

answered Dec 05 '13 at 06:41

naivists

32,681
5
61
85

Thanks Dmitry, fixed it. – naivists Dec 05 '13 at 06:48
Sorry for my previous comment, I was mistaken - it is possible to use File directive in .htaccess. I'v just looked up Apache documentation and checked variant - it works just fine. – Dmitry Pljonkin Dec 05 '13 at 06:53

score 0 · Answer 2 · answered Dec 05 '13 at 07:39

I usually do something like this:

If I want a user to access a file, say members.php or index.php

<?php
    $GLOBAL_PAGE="page name"; //set the 'visible' flag
    include_once 'headers.php'
...
?>

In headers.php:

<?php
     if(!page_is_authorized($GLOBAL_PAGE))
         //redirect to a valid page
         header( 'Location: index.php' );
     ....
?>

where page_is_authorized($s) checks $s against a list of valid values.

I know this doesn't use .htaccess rules as you requested but I usually don't have access to that file so there goes. It's portable too!

+1 about the portability. This helps if for some reason using `.htaccess` is forbidden on the server. — naivists, Dec 05 '13 at 11:54

Deny access to .php files apart from the server itself

2 Answers2