PHP - how to prevent .php files from direct access

Question

i have following folders:

mywebsite/en/index.php
mywebsite/en/product/info.php
mywebsite/en/tags/tags.php
mywebsite/en/games/list.php

my site is running on friendly url, top mentioned files accessable from following friendly urls

mywebsite/en/?pageno=1
mywebsite/en/product/Nike-glove
mywebsite/en/tags/Nike
mywebsite/en/games/ice-sports

i have some examples, but nothing work for me like...i want to prevent direct access to .php files..i want to do that with htaccess...can i?

thanks and kind regards

Reelmark

Why do you store files in webroot if you don't want them to be accessible? — zerkms
– zerkms, Commented Jul 30, 2012 at 4:03
Put them outside of your document root. It's the safest method. Leave only your main controller script inside the root. — Marc B
– Marc B, Commented Jul 30, 2012 at 4:32

Fou · Accepted Answer · 2012-07-30 04:47:03Z

5

add 404 page and try following...

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ 404.php [L]

answered Jul 30, 2012 at 4:47

Fou

9162 gold badges9 silver badges19 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

Online User Over a year ago

You're really a king!

Adrian Günter Over a year ago

This will fail on requests like /script.php/oops because your RewriteRule is unnecessarily and erroneously matching on \.php$. RewriteRule .* 404.php [L] is better as we've already pattern matched the request URI with the RewriteCond, and you can even do RewriteRule .* [R=404] to use the same 404 mechanism as any other "unknown resource" making the entire operation transparent.

Jon Lin · Accepted Answer · 2012-07-30 04:06:17Z

2

Not sure exactly sure what you are trying to accomplish, but this will prevent direct access of your php files:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteRule \.php$ / [F,L]

Though I'm guessing you really want to redirect to the friendly urls when accessing the php files directly.

answered Jul 30, 2012 at 4:06

Jon Lin

144k29 gold badges227 silver badges224 bronze badges

2 Comments

Reel Mark Over a year ago

jon how to prevent file having parameters like "website/tag/tag.php?pno=1"

Jon Lin Over a year ago

@ReelMark where are these links coming from? You can't just magically make arbitrary links into something else. If you are generating them, change how you're generating them, if they're being linked to from elsewhere, redirect with a 301 to where the content really is.

ckaufman · Accepted Answer · 2012-07-30 04:02:28Z

1

<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>

answered Jul 30, 2012 at 4:02

ckaufman

1,4979 silver badges15 bronze badges

Comments

Adrian Günter · Accepted Answer · 2017-07-07 20:49:25Z

1

The solution I've settled on is based on @Fou's answer, but I've modified it to handle the case of /script.php/oops and opted to rewrite the response code as 404 instead of using a temporary redirect:

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .* - [R=404]

answered Jul 7, 2017 at 20:49

Adrian Günter

9072 gold badges12 silver badges23 bronze badges

Comments

messerchainey · Accepted Answer · 2012-07-30 04:47:48Z

0

just add this into your htaccess file... give it a try :) hope it useful

RewriteEngine On
IndexIgnore *

answered Jul 30, 2012 at 4:47

messerchainey

971 gold badge2 silver badges12 bronze badges

Collectives™ on Stack Overflow

PHP - how to prevent .php files from direct access

5 Answers 5

2 Comments

2 Comments

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

2 Comments

2 Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related