This question already has answers here:
.htaccess deny access to specific files? more than one
(3 answers)
Closed 8 years ago.
I want to deny access to multiple PHP files in directory /all/cstl/.
My .htaccess is also stored in this directory.
This is my current code and it's not working.
<Files "\ (config.php|function.php|include.php)">
Order allow,deny
Deny from all
</Files>
I have tried to deny the directory and allow specific files but it denies the directory and does not allow the requested .php files. My code for this is:
<Directory />
Order deny,allow
Deny from all
<Directory>
<Files "index.php|post.php">
Order deny,allow
Deny from all
</Files>
Please give me some example of blocking access to multiple specific files within a directory.
There are several problems with the .htaccess you have there.
As BSen linked in the comment above, you should use FilesMatch.
Also, your regular expression is wrong.
The problem with the regular expression is that you have an escaped space at the start, so all files must start with a space character (followed by one of config.php, function.php etc)
Also a small explaination of the Order allow,deny directive:
http://www.maxi-pedia.com/Order+allow+deny
Try this:
<FilesMatch "config\.php|function\.php|include\.php">
Order allow,deny
Deny from all
</FilesMatch>
If you'd like to deny all but a few files, this would read as
Order deny,allow
Deny from all
<FilesMatch "index\.php|index\.html">
Allow from all
</FilesMatch>
Related
How to stop php from executing .php files while being accessed directly. I want to do routing on files and also want to stop users from directly accessing the .php files. Is there anyway to change the .htaccess file to achieve the functionality.
Prevent direct access to php files
write code in .htacess file.
<Directory "^public_html">
<Files "^(*.php|*.phps)">
order deny,allow
deny from all
</Files>
</Directory>
Or
<Files *.php>
deny from all
</Files>
This question already has answers here:
Anyway protecting your site from external site scandir
(2 answers)
Closed 6 years ago.
here's my website organization:
index.php includes header, home, and footer files:
How should I set .htaccess so that MyWebSite/ is the only allowed URL?
You could try it this way. Block all php files except from localhost or server IP address.
For Apache < 2.4
<Files ~ "\.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files "index.php">
Order Allow,Deny
Allow from all
</Files>
For Apache >= 2.4
<Files ~ "\.php">
Require all denied
Require ip 127.0.0.1
</Files>
<Files "index.php">
Require all granted
</Files>
Mamp should be using Apache 2.4 so the 2nd example should work.
I'm triyng to blobk access to certain files.
I have on my server many files like this
filename_sql.php
Basically i need to disallow user to access directly to sql.php files:
http://url.com/filename_sql.php <<<
I have created an htaccess with this code, but i can access files direcly calling url.
What do I wrong?
<Files ~ "\.sql(.php)?$">
Order allow,deny
Deny from all
</Files>
Thanks all.
Your regex expression is matching filenames that end in ".sql.php", but the example filename you listed ends with "_sql.php"
If you remove the first period, it should match requests like "filename_sql.php" (or anything ending with "sql.php"):
<Files ~ "sql(\.php)?$">
Order allow,deny
Deny from all
</Files>
But, an even better method for keeping these files from being directly accessed, would be to move them outside of the root/public directory.
I think this will do the trick
<Files ~ "\.sql(\.php)?$">
Order allow,deny
Deny from all
</Files>
You forgot to put \ before .php.
I have various subfolders on my website and I would like for the user not to be able to access them through URL but on the same time my main PHP files to be able to include them or use them as actions on forms or links.
I tried using an .htaccess with
<Files *>
Order Allow,Deny
Deny from All
</Files>
but it denied all access even from within my own scripts. Logical as I found out, but I cannot know how to make it work. Any ideas?
P.S. My main concern is that some of the files are not included in main PHP files BUT they are linked there and their code ends up with a header('Location: ../index.php'); returning to the main page of the project.
I see a lot of answers with Allow,Deny not Deny,Allow
The order of this matters and is causing the problem. You are telling the computer that deny is more important than allow, because it is listed last. To show you... if you say:
<Files .htaccess>
Order Allow,Deny
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
You are saying first Allow anyone Allowed, then Deny All... Which still Denies ALL.
If you reverse to Deny,Allow you are saying Deny All, then Allow anyone Allowed.
<Files .htaccess>
Order Deny,Allow
Deny From All
Allow From xxx.xxx.xxx.xxx 127.0.0.1
</Files>
Allow command, being more important, because it is the final command, is therefore allowing those listed after Allow From command.
xxx.xxx.xxx.xxx = Your IP
Do this:
<Files *>
Order Deny,Allow
Allow from 192.168.100.123 127.0.0.1
Deny from all
</Files>
The list of IP's will be specific hosts you allow, like localhost.
This also works with the directive, not just file, if you want only certain directories blocked.
There is an even safer method. Store your include files below the web accessible folders. So if your web files are here...
/var/www/mysite.com/
Store your include files here:
/var/includes/
Then include them with a full path...
include '/var/includes/myincludes.inc.php';
From the web, the myincludes.inc.php file is completely inaccessible.
Usually to protect these logic files from public access you can
put it in protected directory, above htdocs
add a check for public constant.. if(!is_defined(some_root_const)){die();}
change extension to .inc or something.. and deny with .htaccess based on that
put your application code outside of your public html folder. then you can add an include path at the top of your scripts to allow your script to access them as if they were in the same folder.
http://php.net/manual/en/function.set-include-path.php
In you .htaccess you will have to specify which IP's, hosts you want to allow and you can do it per directory as well. for e.g.
<Directory /dir/to/block>
Order Allow,Deny
Allow from 192.168.0.1 4.4.4.4
Deny from All
</Directory>
<Directory /dir/to/allow>
Order Allow, Deny
Allow from All
</Directory>
I am able to disable access to a file with .htaccess, but I don't know how to disallow multiple files to be viewed (directly, not from includes)
They are .php so I can't disable a file type (like the only tutorials online say..)
<FILES ... ?
</FILES>
Or something.. For example "home.php, file.php , test.php" how do I disallow access to all three files with that tag? or similar, help please!
If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:
<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>
Looks like you have to exclude those files one by one:
<files home.php>
Deny/Allow/Whatever
</files>
<files file.php>
...
You can use *.gif in <files> or something*, but as home.php, file.php and test.php can't really be grouped with a "*", this is probably the only way to go.
since apache 2.4
<FilesMatch "\.htaccess|config\.php">
Require all denied
</FilesMatch>
instead of
<FilesMatch "\.htaccess|config\.php">
Order allow,deny
Deny from all
</FilesMatch>