0

I made a rest PHP server so most of paths looks like this 

/test/home.php/product

My intention is to secure the api and prevent the access directly to the PHP files. After some research ,I found someone asking about how to hide PHP extention and this was his solution :

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php/$1 [L,QSA]

so the new route is /test/product and it gives the same response as /test/home.php/product but this seems useless because the old url is still working

Can't i prevent the access is the PHP extention appear in the url ?

PS: my question is different from htaccess prevent access to .php and allow only with RewriteRule

since i demand to protect the routes that contains php extention inside them not ends with php

Neji Soltani
  • 1,522
  • 4
  • 22
  • 41
  • You should have the files outside of the document root and use a router instead. – M. Eriksson Aug 05 '17 at 22:54
  • Possible duplicate of https://stackoverflow.com/questions/7623725 – neil Aug 05 '17 at 23:30
  • @neil no this is not the same i have done the change but i want to limit the access for old url /test/home.php/product but keep it working for /test/product – Neji Soltani Aug 05 '17 at 23:40
  • Ah, the above example only returned forbidden if the URL ends in .php. Try https://stackoverflow.com/questions/26232693 – neil Aug 05 '17 at 23:48
  • Possible duplicate of [htaccess prevent access to .php and allow only with RewriteRule](https://stackoverflow.com/questions/26232693/htaccess-prevent-access-to-php-and-allow-only-with-rewriterule) – neil Aug 06 '17 at 00:56
  • i have different routes , stop looking for duplications and answer if you know – Neji Soltani Aug 06 '17 at 10:16

2 Answers2

1
RewriteCond %{THE_REQUEST} /.+?\.php[\s?] [NC]
RewriteRule ^ - [F]

From: htaccess prevent access to .php and allow only with RewriteRule

neil
  • 429
  • 3
  • 10
0

What you should do is at the top of your API files:

if(!defined('INSYSTEM')) {
    exit;
}

then make a proxy script that you allow access to:

define('INSYSTEM', 1);
if($_REQUEST['page'] == 'home') {
    require 'home.php';
    exit;
}
DeyMac
  • 16
  • 2
  • In this case, isn't it easier just to have them outside of the document root and only have the "proxy" script (which is more like a router, actually) in the document root? – M. Eriksson Aug 05 '17 at 22:58
  • there could be a server(host) that only gives access to the public folder to upload to – DeyMac Aug 05 '17 at 23:03
  • Most hosts allows you to have files one level up at least. If they don't, then you should change host, in my opinion. – M. Eriksson Aug 05 '17 at 23:07
  • in this case the proxy will be a php file too it's still the same if i have to call /proxy.php/product – Neji Soltani Aug 05 '17 at 23:23
  • the code in your api files won't execute; you can add a header("") in them to redirect to index page and then exit – DeyMac Aug 06 '17 at 00:11