PHP - how to prevent .php files from direct access - php

i have following folders:
mywebsite/en/index.php
mywebsite/en/product/info.php
mywebsite/en/tags/tags.php
mywebsite/en/games/list.php
my site is running on friendly url, top mentioned files accessable from following friendly urls
mywebsite/en/?pageno=1
mywebsite/en/product/Nike-glove
mywebsite/en/tags/Nike
mywebsite/en/games/ice-sports
i have some examples, but nothing work for me like...i want to prevent direct access to .php files..i want to do that with htaccess...can i?
thanks and kind regards
Reelmark

add 404 page and try following...
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ 404.php [L]

Not sure exactly sure what you are trying to accomplish, but this will prevent direct access of your php files:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteRule \.php$ / [F,L]
Though I'm guessing you really want to redirect to the friendly urls when accessing the php files directly.

<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>

The solution I've settled on is based on #Fou's answer, but I've modified it to handle the case of /script.php/oops and opted to rewrite the response code as 404 instead of using a temporary redirect:
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .* - [R=404]

just add this into your htaccess file... give it a try :) hope it useful
RewriteEngine On
IndexIgnore *

Related

htaccess: redirect certain file types to PHP script

I am trying to prevent direct access to certain file types and redirect them to PHP script.
Example: user/browser requests
http://example.com/files/example.pdf
And I want it to be handled by download.php script. So basically final url should be
http://example.com/tools/download.php?file=files/example.pdf
What I've tried:
<FilesMatch "\.(psd|log|sh|pdf|doc)$">
RewriteRule ^/files/(.*)$ /tools/download.php?file=$1 [NC,L]
#Order Allow,Deny - with or without this
#Deny from all - with or without this
</FilesMatch>
and
RewriteRule ^.*\.(pdf|doc|xls|xlsx|docx|zip)$ /tools/download.php?file=$1 [R=301,L]
And I can't seem to get it work. Any ideas?
I recommend navigating all about index.php and then dealing with php code instead of htaccess
RewriteEngine On
RewriteRule ^.*\.(pdf|doc|xls|xlsx|docx|zip)$ /tools/download.php?file=$1 [R=301,L]
This should do the trick. Please report back, if it won't work.
I would also suggest, like the others already said, to deny all direct access and to perform all routing via PHP.
A better idea is to tell htaccess that if the file is there in the public folder, just serve it, and if not, fire it through your index.php, which would then no doubt route to your download controller.
Something like this:
RewriteEngine On
# The following rule tells Apache that if the requested filename
# exists, simply serve it.
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
# The following rewrites all other queries to index.php. The
# condition ensures that if you are using Apache aliases to do
# mass virtual hosting, the base path will be prepended to
# allow proper resolution of the index.php file; it will work
# in non-aliased environments as well, providing a safe, one-size
# fits all solution.
RewriteCond %{REQUEST_URI}::$1 ^(/.+)(.+)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
RewriteRule ^(.*)$ %{ENV:BASE}index.php [NC,L]
So basically I managed to make it work.
NB! RewriteRule keeps serving the file if it exists, it fires only if file
does not exist.
The solution for me is to use RedirectMatch:
RedirectMatch ^.*\.(psd|pdf|whatever)$ /tools/download.php?file=$0
...And play with it using Private browser windows on each link click, because browser - Firefox in my case - is somehow caching "click response".

htaccess - Redirect to error page if user attempts direct file access?

I have a website where the main directory contains a few files i don't want to be directly accessed using urls like this:
http://website.com/somefile1.ext1
http://website.com/somefile2.ext1
http://website.com/somefile1.ext2
http://website.com/somefile2.ext2
Currently they download if you enter the urls in a browser. Instead i would like to redirect them to a error page like this:
http://website.com/404
I found this snippet online but it doesn't work, it also doesn't redirect:
<Files ~ "\.(ext1)$">
Order allow,deny
Deny from all
</Files>
What would the correct .htaccess code be to do this task?
Edit:
I redirect site.com/script.php etc to site.com/script with this code:
RewriteEngine On
# turn on the mod_rewrite engine
RewriteCond %{REQUEST_FILENAME}.php -f
# IF the request filename with .php extension is a file which exists
RewriteCond %{REQUEST_URI} !/$
# AND the request is not for a directory
RewriteRule (.*) $1\.php [L]
# redirect to the php script with the requested filename
Try it like this I didn't tried it for now,
RewriteEngine On
RewriteCond %{REQUEST_URI} \.ext\d$
RewriteRule ^ 404 [R=301]
Try
<FilesMatch "somefile\.ext$">
Deny from all
</FilesMatch>
You don't need to use the Order directive if you want to deny access from all.

htaccess | How to redirect using RewriteRule ? Simple

I have this URL pointing my web site:
http://www.mysite.ext/.htaccess.aspx-->/
and I like to redirected to
http://www.mysite.ext/
but I can't.
In my .htaccess file I have enter this rule:
RewriteRule ^(.htaccess(.+))/?$ http://www.mysite.ext/? [R=301,L]
but doesn't work
also I have try the following:
RewriteRule ^(\.htaccess\.aspx(.*))/?$ http://www.mysite.ext/? [R=301,L]
but still no luck. I don't know if that helps, but the site is based on PHP.
Any idea please ?
Is it realy so hard ?
Can somebody to help me please ?
Not sure how you are you getting requests for /.htaccess.aspx and why you want to redirect them.
However keep in mind that Apache configs usually block access to .htaccess using directive like below:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
That throws 403 (Forbidden) error for any request that starts with /.ht.
Workaround:
Have a custom handler for 403:
ErrorDocument 403 /errorPage403.php
and have this redirect rule:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/+\.htaccess\.aspx [NC]
RewriteRule ^ /? [L,R]

Preventing access to include files

I'm having a problem with .htaccess file rewrite rules. I want to have one .htaccess file in my root directory and to have rule over there to stop people to be able to access files directly over browser. So, for example I have folder blah/includes/file.php and .htaccess file is in blah/ folder, I want to prevent people to be able to just type in browser blah/includes/file.php and get that file, but also I want my functions in app to be able to use those files. I understand that is almost impossible for them to know exact name of my include files but I would like to be sure.
Thanks in advance.
here is my code which is not responding:
<IfModule mod_rewrite.c>
## Enable Mod Rewrite, this is only required once in each .htaccess file
RewriteEngine On
RewriteBase /
## Test for access to includes directory
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /includes/ .*$ [NC]
## Test that file requested has php extension
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
## Forbid Access
RewriteRule .* - [F,NS,L]
</IfModule>
Note: I'm testing in localhost if that is maybe important.
Problem is in the first RewriteCond you have a space after /includes/, which throws an error.
BUT: I wouldn't use %{THE_REQUEST}, as it contains the HTTP Request (see http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond). Use %{REQUEST_URI} instead.
So, if you want to forbid access to /<folder>/include/*.php, you can use just this code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/[^/]+/includes/.*\.php$ [NC]
RewriteRule .* - [F,NS,L]
</IfModule>
Assuming your .htaccess lies in the blah/ folder.
The quickest way would be just to put a one-line .htaccess file in your includes directory:
deny from all
The other alternative is to place your includes folder outside of your web-accessible directory.
/home/
/username/
/includes/
/public_html/
/index.php
If you still want to use a RewriteRule, then this is the one you’d use:
RewriteRule ^includes/ - [F,L,NC]
Which would return a 401 Forbidden response trying to access a URI that begin with includes.

Blocking direct access to index.php with CodeIgniter

I've managed to remove the need for typing index.php in my urls, but it is still possible to do so. I don't want that and want to prevent users to be able to access my application via urls like /index.php/home or /index.php/contact or even /index.php.
Does anyone know how to accomplish this?
In you .htaccess write in the top
DirectoryIndex my_new_index.php
RewriteEngine on
RewriteCond $1 !^(my_new_index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /my_new_index.php/$1 [L]
Rename your index.php file to my_new_index.php
Exactly. Here's an example:
RewriteRule ^foo\.html$ bar.html
Or you can use variables like so:
^hotsheet/(.*)$ http://www.tstimpreso.com/hotsheet/$1
If you're using Apache, then just setup a rewrite rule to redirect users from index.php to /
RewriteRule ^/index\.php$ /
RewriteRule ^/index\.php/(.*) /$1

Categories