PHP: allow users to download .php files, how can I prevent them from starting?

Question

PHP: allow users to download .php files, how can I prevent them from starting?

I allow people to upload files of their projects, I tightened my security, but I just need to go to a simple point. How can I stop the execution of any files in the subdirectories that they download too?

I think that .htaccess, but I will need to generate one for each new subdirectory (I think), I will need to abandon my current code and use the file .phpto send headers to force DL to run instead?

Do you think this is a simple and safe solution for this? It just loads into a subdirectory, for example, uploads/~foo/bar.htmlor something like that, it looks good, so it would be nice if it remained like this format.

+3

security php permissions

John S. Jun 19 '10 at 9:31

source share

2 answers

If, for example, these downloaded files are located in the "uploads" directory and its subdirectories:

RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]

0

Radek Suski Jun 19 '10 at 9:39

source share

Emil Vikström · Accepted Answer · 2010-06-19T09:36:28+0000

Put this in uploads/.htaccess:

RemoveType application / x-httpd-php.php

This will work for all subfolders. Also make sure that you do not parse .htaccess in user folders. This can be done using AllowOverride Nonethe configuration of the main server, or it can be done if you do not allow the download of .htaccess files.

PHP: allow users to download .php files, how can I prevent them from starting?

More articles: