1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to diallow executing .php directly?

Discussion in 'Apache' started by postcd, Sep 30, 2015.

  1. #1
    Hello,

    i have an content management system installed and i would like to secure my site by forbidding anyone to call php script with .php extension directly

    i mean so example i cant open in webbrowser: mysite.com/script.php

    i have prety urls (mod rewrite) on the forum so its not needed for anyone to open .php directly.

    i want it as protection from malware files that might be injected

    can i use .htaccess for this, please how?

    i found this post: https://www.apachelounge.com/viewtopic.php?p=22816#22816

    thank you,
    Vit
     
    postcd, Sep 30, 2015 IP
  2. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #2
    You might be able to use something like this:

    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
    RewriteRule \.php$ / [F,L]​
     
    zacharooni, Oct 5, 2015 IP
    postcd likes this.
  3. postcd

    postcd Well-Known Member

    Messages:
    1,037
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    190
    #3
    thanks alot, Your rule works exactly as needed. It do not allow executing .php file directly in webbrowser, via wget, via curl, via php, results in 403 error. But normal php website works (one just need not to open .php file directly.

    if one want to exclude certain php file, one can add this line:
    RewriteCond %{REQUEST_URI} !index.php
    (index.php is excluded)

    thx again for sharing the rule

    PS: if hacker who inject malicious .php file use "file.php?=imallowed" i think he will execute file without issues, so it is not 100% protection i assume..
     
    Last edited: Oct 8, 2015
    postcd, Oct 8, 2015 IP