We Keep Coding

Deny direct access to images/scripts via URL, but allow PHP to use it

I have images\*.png files and auto_scripts\*(.php|.bat) files in my root directory.
I want to restrict direct access of files and folder listing.
so far I have done,(in httpd-vhosts.conf)
<Directory C:/MyVirtualHost>
Options FollowSymLinks Includes ExecCGI
Require all granted
</Directory>
to restrict folder listing via URL (ie. www.mywebsite.com/includes/)
But I do not know how to restrict file access, like,
www.mywebsite.com/includes/sensitive_script.php
www.mywebsite.com/includes/private_photo.jpg
I do not understand the .htaccess file and tag, provided in other Stack Overflow's solution. Because it either allows both PHP and URL access (or) denies both access.
Help me to deny file access from URL, but not from PHP and HTML in root directory. Ask me for any clarification. I'm out of help here.

Restrict User For Folder Access in php

I am new in php i want to restrict user for folder access user can not access my images folder and i have one thumb folder in that images folder what should i do for that.
exammple :- i have one folder _cat_img and in that i have one more folder that name is thumb. i want to restrict user for both folders
i am try to use code with .htaccess but it's not working.
i am using this in htaccess
**Deny from All**
but it is restrict all folders what should i do to to restrict user for particular folder access any one help me for this

Use Directory apache directive for specifying a particular directory. Then give access directives (allow or deny) inside it.
<Directory "fullpath/_cat_img">
Order Deny,allow
Deny from all
</Directory>
<Directory "full_path/thumb">
Order Deny,allow
Deny from all
</Directory>
Edit
To activate .htaccess edit your apache conf and inside virtual host section of your website add these.
<Directory documnet_root>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Restart apache.

Restrict access to directories through ip address

I have a webserver with apache, say ip is 12.345.678.90. In my www directory there are a few sites, say, site1 and site2. Both belong to the same ip address - I created virtual hosts. Websites are on cakephp framework and there are a lots of directories, for example, app, app/tmp, lib, lib/Cake etc. When accessing the website like http://site1.com or http://site2.com everything is all right, and no way these directories can be viewed or accessed, but through ip I can see everything.
http://12.345.678.90/
http://12.345.678.90/site1/lib
http://12.345.678.90/site1/app
http://12.345.678.90/site1/app/tmp
etc - all this directories with containing files for each site are visible. So, how I can prevent any kind of access through ip address ? Actually when opening just the ip http://12.345.678.90 it just shows nothing, as I had created empty index.html file, but I cant do that for all the folders,(or create htaccess for each directory). Can this be handled through single htaccess, or maybe better, by apache config, or by some other way ?
Thanks

Try this
To disable Directory Listing
In your Apache configuration file (httpd.conf) file locate the directory section eg: /var/www/html
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Remove the word Indexes or change Indexes to -Indexes
Then restart your Apache server service httpd restart
To Restrict Access: Directory Level
You can restrict access to certain directories by adding the following
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Deny from all
</Directory>
By adding the above configuration to apache conf file the mydirectory will be blocked/restricted from access.
To Restrict Access: File Level
If you want to restrict a certain file in a directory. Add -
<Directory "/var/www/html/site1/mydirectory">
Order allow,deny
Allow from all
<Files myfile.php>
Order allow,deny
</Files>
</Directory>
To prevent access of all files by IP Address
<Files ~ ".+">
Order allow,deny
Deny from all
</Files>

this should work(add it to you main .htaccess file)
Options All -Indexes
this wont't allow other to see the files in your folder

How to secure PHP website (not yet uploaded in the internet)

I have a PHP system inside a server which is not yet uploaded in the internet and can only be accessed using networking. (E.g. 192.168.1.190/php_system/index.php) How can I fix the URL of this to avoid other computers to accessing files inside the php_system folder? And how can avoid them to accessing file using CTRL + Left Click or opening files inside iframe using another window?

Edit your Apache Virtual host to allow access only from certain IPs. Something like this:
<VirtualHost *:80>
ServerName EDIT.THIS.com
ServerAlias EDIT.THIS.IF.YOU.HAVE.ONE.com
DocumentRoot "/full/path/to/root"
<Directory /full/path/to/root>
Options FollowSymLinks
Order Allow,Deny
Allow from 192.168.0.1 EDIT.TO.ANOTHER.IP AND.ANOTHER
</Directory>
</VirtualHost>
Alternatively, add a "auth" value (that will require a login and password) like this:
<Directory /full/path/to/root>
AuthType Basic
AuthName "Admin"
// NOTE: do not include this in your website folder
AuthUserFile /path/to/.passwd_file
Require user user1 user2
</Directory>
Edit: Corrected the Order values.

Try http://httpd.apache.org/docs/trunk/platform/windows.html. this will show you directives on how to configure your Apache server on windows.

In the directory you want to protect, add a file called .htaccess (the period matters)
In this file, put the following three lines (EDITED based on Sven's inputs)
order deny,allow
allow from 127.0.0.1
deny from all
Now it should be impossible for anyone but you (logged in on the machine where Apache is running) from seeing the contents. Any file sharing that is active has to be turned off separately. Alternatively, you add a line that includes the IP address of the machine from which you want to access the server instead of 127.0.0.1 - you can even have multiple lines of allowed addresses, include ranges, ...
You will find a ton more information at http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order

Allowing only localhost to access a folder where all inclusive php files exist

We all have php files like 'connect_db.php' for include purposes only.
Suppose I have all those inclusive .php files in "www/html/INC"
And I have index.php
I want index.php accessible from browser to everyone, but I want to prevent users' direct access to "www/html/INC" folder. (e.g. when type in the browser 'www.domain.com/INC/' -> 404 error etc)
How do I achieve this?
Preferrably using .htaccess file in the root directory please.

Something like
<Directory /INC>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>
should work.

How do I achieve this?
Don't. As per my previous answer, it's much more secure to put connect_db.php in /www/, not in /www/html/INC/. If you are going to do so, then you'd use /www/html/.htaccess:
<Directory "/www/html/INC">
order allow,deny
deny from all
</Directory>

Google searches have brought me here so I figured I'd post what I found in the apache docs today. I'm not positive what versions of apache it is available in, but do a search for your version to verify.
Now you can just use Require local. I'd recommend putting an .htaccess in the folder that you want to restrict access to with just that line. However, if you must do it in the root directory then here's what it would be:
<Directory "www/html/INC">
Require local
</Directory>

As of Apache 2.4, Require is the way to go.
E.g. the following denies access to the /www/html/INC directory by anyone except localhost:
<Directory "/www/html/INC">
Require all granted
Require ip 127.0.0.1
</Directory>

Move connect_db.php to the more high level in directories tree, than public directory.
And all scripts, which should not be executable - too.
/home/user/project/incs/ -- here your inclusive scripts
/home/user/project/www/html -- here your index.php and other executable scripts.