How to prevent uploaded file from being executed?

Question

How can i prevent uploaded file from being executed? For example, someone could upload php file and use it to hack site, i want to prevent it.

Best that way that i know is using directory permissions, and set it to 666?

Is there some htaccess magic that i can do?

Answer 1

You can just put a .htaccess in your upload folder with the following line :

php_flag engine off

It will disable PHP execution in this directory.

Edited to answer comments : chmod 666 does not prevent PHP execution. It simply marks files as non-executable so you can't run them directly as scripts or binaries. PHP does not care about the permissions of the file, as long as it is readable, it will get parsed and executed by the engine.

So if your server has multiple engines (PHP, Jelly, whatever) you will have to manually build a configuration file that will prevent files within a folder from being interpreted. You could make a script that would generate that file based on what engines are installed on the machine.

Answer 2

Permissions will not work if you modify them using FTP client and your server scripts are not using the same user/permissions (normal WordPress scenario).

If you want to avoid it with .htaccess, this may help.

Tested in Litespeed server version 5.4.10

<Files *.php>
deny from all
</Files>

<Files *.*>
deny from all
</Files>

<Files myfile.php>
deny from all
</Files>