Disable PHP in directory including all sub-directories with htaccess

Question

I m making a website which allows people to upload files  html pages  etc    Now I m having a problem  I have a directory structure like this   - USERS     - DEMO1     - DEMO2     - DEMO3     - etc     every user has his own direcory here  -index php -control panel php - htaccess   Now I want to disable PHP  but enable Server-side includes in the direcories and subdirectories inside  USERS  Can this be done  and how       Thanks in advance   BTW  I use WAMP server

User · Answer

None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.

But this worked for me :

RewriteRule ^.*\.php$ - [F,L]

This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.

@Oussama lead me to the right direction here, thanks to him.

User · Answer

To disable all access to sub dirs  safest  use    lt Directory full-path-to USERS gt       Order Deny Allow      Deny from All   lt  Directory gt    If you want to block only PHP files from being served directly  then do   1 - Make sure you know what file extensions the server recognizes as PHP  and dont  allow people to override in htaccess    One of my servers is set to      Example of existing recognized extenstions  AddType application x-httpd-php  php  phtml  php3   2 - Based on the extensions add a Regular Expression to FilesMatch  or LocationMatch     lt Directory full-path-to USERS gt        lt FilesMatch    i    php php3  phtml    gt              Order Deny Allow             Deny from All      lt  FilesMatch gt    lt  Directory gt    Or use Location to match php files   I prefer the above files approach    lt LocationMatch   USERS     i    php3  phtml    gt       Order Deny Allow      Deny from All  lt  LocationMatch gt

User · Answer

If you use php-fpm  the php admin value will NOT work and gives an Internal Server Error  Instead use this in your  htaccess  It disables the parser in that folder and all subfolders   lt FilesMatch  quot        quot  gt      SetHandler    lt  FilesMatch gt

User · Answer

On production I prefer to redirect the requests to  php files under the directories where PHP processing should be disabled to a home page or to 404 page  This won t reveal any source code  why search engines should index uploaded malicious code   and will look more friendly for visitors and even for evil hackers trying to exploit the stuff  Also it can be implemented in mostly in any context - vhost or  htaccess  Something like this    lt DirectoryMatch     docroot   image cache upload    gt       lt FilesMatch    php   gt            use one of the redirections          RedirectMatch temp         http     servername  404           RedirectMatch temp         http     servername        lt  FilesMatch gt   lt  DirectoryMatch gt    Adjust the directives as you need

User · Answer

Try to disable the engine option in your  htaccess file   php flag engine off

User · Answer

If you re using mod php  you could put  either in a  htaccess in  USERS or in your httpd conf for the USERS directory   RemoveHandler  php   or   RemoveType  php    depending on whether PHP is enabled using AddHandler or AddType   PHP files run from another directory will be still able to include files in  USERS  assuming that there is no open basedir restriction   because this does not go through Apache  If a php file is accessed using apache it will be serverd as plain text   Edit  Lance Rushing s solution of just denying access to the files is probably better

User · Answer

lt Directory  your directorypath  gt       php admin value engine Off  lt  Directory gt

User · Answer

This will display the source code instead of executing it    lt VirtualHost   gt      ServerName sourcecode testserver me     DocumentRoot  var www example     AddType text plain php  lt  VirtualHost gt    I used it once to enable other co-worker to have read access to the source code from the local network  just a quick and dirty alternative    WARNING     As Dan pointed it out sometime ago  this method should never be used in production  Please follow the accepted answer as it blocks any attempt to execute or display php files    If you want users to share php files  and let others to display the source code   there are better ways to do it  like git  wiki  etc    This method should be avoided   you have been warned  Left it here for educational purposes

User · Answer

This might be overkill - but be careful doing anything which relies on the extension of PHP files being  php - what if someone comes along later and adds handlers for  php4 or even  html so they re handled by PHP  You might be better off serving files out of those directories from a different instance of Apache or something  which only serves static content

[php] Disable PHP in directory (including all sub-directories) with .htaccess

Examples related to php

Examples related to apache

Examples related to .htaccess