PHP - how to prevent .php files from direct access

Question

i have following folders:

mywebsite/en/index.php
mywebsite/en/product/info.php
mywebsite/en/tags/tags.php
mywebsite/en/games/list.php

my site is running on friendly url, top mentioned files accessable from following friendly urls

mywebsite/en/?pageno=1
mywebsite/en/product/Nike-glove
mywebsite/en/tags/Nike
mywebsite/en/games/ice-sports

i have some examples, but nothing work for me like...i want to prevent direct access to .php files..i want to do that with htaccess...can i?

thanks and kind regards

Reelmark

Why do you store files in webroot if you don't want them to be accessible? — zerkms, Commented Jul 30, 2012 at 4:03
Put them outside of your document root. It's the safest method. Leave only your main controller script inside the root. — Marc B, Commented Jul 30, 2012 at 4:32

Fou · Accepted Answer · 2012-07-30 04:47:03Z

5

add 404 page and try following...

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ 404.php [L]

answered Jul 30, 2012 at 4:47

Fou

9062 gold badges8 silver badges19 bronze badges

You're really a king!
– Online User
Commented Dec 6, 2014 at 11:01
This will fail on requests like /script.php/oops because your RewriteRule is unnecessarily and erroneously matching on \.php$. RewriteRule .* 404.php [L] is better as we've already pattern matched the request URI with the RewriteCond, and you can even do RewriteRule .* [R=404] to use the same 404 mechanism as any other "unknown resource" making the entire operation transparent.
– Adrian Günter
Commented Jul 7, 2017 at 20:41

Add a comment |

Jon Lin · Accepted Answer · 2012-07-30 04:06:17Z

2

Not sure exactly sure what you are trying to accomplish, but this will prevent direct access of your php files:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteRule \.php$ / [F,L]

Though I'm guessing you really want to redirect to the friendly urls when accessing the php files directly.

answered Jul 30, 2012 at 4:06

Jon Lin

143k29 gold badges222 silver badges221 bronze badges

jon how to prevent file having parameters like "website/tag/tag.php?pno=1"
– Reel Mark
Commented Jul 30, 2012 at 4:19
@ReelMark where are these links coming from? You can't just magically make arbitrary links into something else. If you are generating them, change how you're generating them, if they're being linked to from elsewhere, redirect with a 301 to where the content really is.
– Jon Lin
Commented Jul 30, 2012 at 4:21

Add a comment |

ckaufman · Accepted Answer · 2012-07-30 04:02:28Z

1

<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>

answered Jul 30, 2012 at 4:02

ckaufman

1,4979 silver badges15 bronze badges

Add a comment |

Adrian Günter · Accepted Answer · 2017-07-07 20:49:25Z

1

The solution I've settled on is based on @Fou's answer, but I've modified it to handle the case of /script.php/oops and opted to rewrite the response code as 404 instead of using a temporary redirect:

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .* - [R=404]

answered Jul 7, 2017 at 20:49

Adrian Günter

9012 gold badges11 silver badges23 bronze badges

Add a comment |

messerchainey · Accepted Answer · 2012-07-30 04:47:48Z

0

just add this into your htaccess file... give it a try :) hope it useful

RewriteEngine On
IndexIgnore *

answered Jul 30, 2012 at 4:47

messerchainey

971 gold badge2 silver badges12 bronze badges

Add a comment |

Collectives™ on Stack Overflow

PHP - how to prevent .php files from direct access

5 Answers 5

Not the answer you're looking for? Browse other questions tagged
php
.htaccess
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Not the answer you're looking for? Browse other questions tagged php.htaccess or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
php
.htaccess
or ask your own question.