Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Disabling download of php files if PHP is not installed

Tags:

php

apache

.htaccess

My university has multiple servers which have the same data mirrored across them, so I can access for instance

foo.uni.edu/file.php
bar.uni.edu/file.php

The thing is, not all servers have PHP installed, so anyone could possibly download my php files if they made the connection through a server which didn't have PHP installed. Is there a way, possibly with .htaccess to avoid this? As in, only allow opening PHP files if PHP server is installed?

like image 381
vascoFG Avatar asked Nov 17 '12 02:11

vascoFG

People also ask

Why is my php file downloading instead of running?

This is normally due to an improper handler code. In the . htaccess file, you will want to ensure the handler code matches your version of php. If it does not, the php files may try to download instead of process.

How do I block direct access to a .php page?

The best way to prevent direct access to files is to place them outside of the web-server document root (usually, one level above). You can still include them, but there is no possibility of someone accessing them through an http request.

Can php files be downloaded?

Generally, no PHP script is required to download a file with the extensions exe and zip. If the file location of this type of file is set in the href attribute of the anchor element, then the file automatically downloads when the user clicks on the download link.

1 Answers

If it's possible to store files outside of the document root, you could work around the problem by storing all sensitive data outside the docroot. You would then have your publicly accessible scripts use include to access those files.

So, if you upload to /username/public_html, and public_html is your document root (eg, foo.uni.edu/file.php is /username/public_html/file.php), then you would upload to /username/file.php instead and place another script in /username/public_html which merely contains something like include('../file.php');

This is good practice in any case, in case a configuration error on the server ever stops PHP from being parsed.

You could also try using IfModule and FilesMatch to deny access to PHP files if mod_php isn't enabled:

<IfModule !mod_php.c>
    <FilesMatch "\.php$">
        Order Deny,Allow
        Deny from All
    </FilesMatch>
</IfModule>

If this doesn't work, try !mod_php5.c instead.

like image 137
Kelvin Avatar answered Oct 20 '22 16:10

Kelvin
Sign in to Comment

Related questions

How to find all the tags of each page and then concat the tags into one column?
PHPUnit whitelist code coverage
PHP weird Seg-faults on mysqli_stmt_bind_result
How to implement a high performance asynchronous socket server application in PHP?
Join multiple PDF files into a single page PDF - positioned join using PHP [closed]
How to remove an action added through a class
How can I protect a mySQL connection string in PHP?
Doctrine2 Multiple Join works with createQuery but not with queryBuilder
Subsequent pcntl_signal signals not kicking off handler
System design for matching closest registered store based on zip code?
How to know whenever the connection is reset by peer in php?
AJAX Response Size Limit
Iterating over std::map in PHP with SWIG
symfony2 application, vagrant & ant: stty: standard input: Invalid argument
(PHP) Parsing RegEx string - balancing brackets
Securely escaping dynamic table names in MySQL using Codeigniter
What are "many successive interrupted connection requests" in MySQL?
Composer fails to resolve to installable set of packages on using "install" but not "update"
PHP MySql percentage
Is it possible to get the table from a PDOStatement object?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!