Deny direct access to all php files except index php

Question

I want to deny direct access to all  php files except one  index php  The only access to the other  php files should be through php include   If possible I want all files in the same folder   UPDATE   A general rule would be nice  so I don t need to go through all files  The risk is that I forget a file or line    UPDATE 2   The index php is in a folder www myadress com myfolder index php  I want to deny access to all  php files in myfolder and subfolders to that folder

User · Answer

URL rewriting could be used to map a URL to .php files. The following rules can identify whether a .php request was made directly or it was re-written. It forbids the request in the first case:

RewriteEngine On
RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
RewriteRule \.php$ - [F]
RewriteRule test index.php

These rules will forbid all requests that end with .php. However, URLs such as / (which fires index.php), /test (which rewrites to index.php) and /test?f=index.php (which contains index.php in querystring) are still allowed.

THE_REQUEST contains the full HTTP request line sent by the browser to the server (e.g., GET /index.php?foo=bar HTTP/1.1)

User · Answer

An easy solution is to rename all non-index php files to  inc  then deny access to   inc files  I use this in a lot of my projects and it works perfectly fine

User · Answer

Actually  I came here with the same question as the creator of the topic  but none of the solutions given were a complete answer to my problem  Why adding a code to ALL the files on your server when you could simply configure it once   The closest one was Residuum s one  but still  he was excluding ALL files  when I wanted to exclude only php files that weren t named index php   So I came up with a  htaccess containing this     lt Files   php gt      Order Deny Allow     Deny from all     Allow from 127 0 0 1  lt  Files gt    lt Files index php gt      Order Allow Deny     Allow from all  lt  Files gt     Remember  htaccess files are working recursively  so it suits perfectly the prerequisite of the question    And here we go  The only php files that will be accessible for an user will be the ones named index php  But you can still acces to every image  css stylesheet  js script  etc

User · Answer

Allow only 2 ip   all other will block  Order Deny Allow Deny from all Allow from 173 11 227 73 108 222 245 179

User · Answer

With Apache 2 4  the syntax for access control has changed  If using directives like   Order deny allow Deny from all   does not work  you re likely using Apache 2 4   The Apache 2 4 docs are here   You need to use Require all denied in one of these ways     you can do it this way  with  not match     lt FilesMatch      index  php      gt    Require all denied  lt  FilesMatch gt     or   Require all denied   lt Files index php gt    Require all granted  lt  Files gt

User · Answer

place all files in one folder  place a  htaccess file in that folder and give it the value deny all  then in index php thats placed outside of the folder have it echo out the right pages based on user input or event

User · Answer

An oblique answer to the question is to write all the code as classes  apart from the index php files  which are then the only points of entry   PHP files that contain classes will not cause anything to happen  even if they are invoked directly through Apache   A direct answer is to include the following in  htaccess    lt FilesMatch    php   gt      Order Allow Deny     Deny from all  lt  FilesMatch gt   lt FilesMatch  index 0-9    php   gt      Order Allow Deny     Allow from all  lt  FilesMatch gt    This will allow any file like index php  index2 php etc to be accessed  but will refuse access of any kind to other  php files   It will not affect other file types

User · Answer

Instead of passing a variable around I do this which is self-contained at the top of any page you don t want direct access to  this should still be paired with  htaccess rules but I feel safer knowing there is a fail-safe if htaccess ever gets messes up    lt  php    Security check  Deny direct file access  must be loaded through index if  count get included files       1        header  Location  index php       Send to index     die  403       Must include to stop PHP from continuing     gt

User · Answer

lt Files           Pp  Hh  Pp    gt   Order allow deny  Deny from all  Satisfy All  lt  Files gt

User · Answer

Are you sure  you want to do that  Even css and js files and images and        OK  first check if mod access in installed to apache  then add the following to your  htaccess   Order Deny Allow Deny from all Allow from 127 0 0 1   lt Files  index php gt      Order Allow Deny     Allow from all  lt  Files gt    The first directive forbids access to any files except from localhost  because of Order Deny Allow  Allow gets applied later  the second directive only affects index php    Caveat  No space after the comma in the Order line   To allow access to files matching   css or   js use this directive    lt FilesMatch       css js    gt      Order Allow Deny     Allow from all  lt  FilesMatch gt    You cannot use directives for  lt Location gt  or  lt Directory gt  inside  htaccess files  though   Your option would be to use  lt FilesMatch      php   gt  around the first allow deny group and then explicitely allow access to index php   Update for Apache 2 4  This answer is correct for Apache 2 2  In Apache 2 4 the access control paradigm has changed  and the correct syntax is to use Require all denied

User · Answer

You can try defining a constant in index php and add something like  if   defined  YOUR CONSTANT    die  No direct access      to the beginning of the other files   OR  you can use mod rewrite and redirect requests to index php  editing  htaccess like this   RewriteEngine on RewriteCond  1    index  php  RewriteRule         index php  1  L R 301    Then you should be able to analyze all incoming requests in the index php and take according actions   If you want to leave out all   jpg    gif    css and   png files  for example  then you should edit second line like this   RewriteCond  1    index  php    jpg    gif    css    png

User · Answer

How about keeping all  php-files except for index php above the web root  No need for any rewrite rules or programmatic kludges   Adding the includes-folder to your include path will then help to keep things simple  no need to use absolute paths etc

[php] Deny direct access to all .php files except index.php

Examples related to php

Examples related to .htaccess