My Webhoster doesnt accept PHP Version change for single domains. The PHP version (7.3) work only for all domains on my webhost account. But for one domain, i need 5.3 and i cant configure it.
I can made extensions in "Apache-Configuration" > "for single Domains" but i dont know what command code i need here. I tried second way, in htaccess to force it via "AddHandler..." "AddType application/x-httpd-php53 .php" but the browser open/download a file instead.
can it be that my webhost does not allow simultaneous use of different versions? is there any possibility ?
Try all solution on stackoverflow i found. (My Site is a index.php)
AddType application/x-httpd-php53 .php
AddHandler application/x-httpd-php53 .php
AddHandler x-httpd-php5-3 .php
No PHP changing. Instead, browser want downloading a file.
This is what I use, for php 7.3:
#AddType application/x-httpd-ea-php73 .php .php7 .phtml .html .htm
#AddHandler application/x-httpd-php .htm .html
You may want to consider switching your webhost... the standard version of cPanel allows for multiple PHP installations, configurable per domain.
I noticed that it's possible to run a file via PHP even if its extension wasn't .php, for example file test.xyz.php.whatever.zyx can be still run with PHP even when the extension isn't .php! It just happens to have .php. in the filename, and that's enough for my Apache to run the PHP script.
I tried (as someone suggested) to put this in a .htaccess file on that folder:
php_flag engine off
But it didn't work on my machine.
The only solutions I know for now are:
Rename to known file extension, which is not run via PHP, such as .txt.
Remove all dots from the filename, thus making it extensionless.
But I'm still not sure how these solutions would work on other servers than my Windows server (with Apache).
Is there any other solutions which doesn't need the filenames to be renamed in any way?
for uploading by users I suggest that you upload a folder in a layer above the root path
in this case Only You Have Access To upload folder( In direct addressing)
and an attacker have not access to any files in this folder
Thus you disable an attacker action to run malicious file
To be completely secure, you'll need to do a couple of things:
Set your upload directory above your "public" folder, making it inaccessible from a browser. This setting is in php.ini (php config file). You'll need to restart Apache for this to take effect. On most Redhat / Fedora / CentOS web servers, this can be:
upload_tmp_dir = "/var/tmp/"
OR, on my local Windows 7 WAMP install, it is set to:
upload_tmp_dir = "c:/wamp/tmp"
Disable scripts from running on that directory (c:/wamp/tmp), in .htaccess:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off
In your PHP script, get the uploaded file, filter it based on mimetype (not filetype extension), change the filename, and put it into a secured publicly accessible folder. In more detail:
create a whitelist of filetypes, ex: only images (jpeg, png, gif, bmp). This can be done using mime_content_type() http://php.net/manual/en/function.mime-content-type.php or the newer finfo_file() http://us3.php.net/manual/en/function.finfo-file.php
choose a new filename, often it's best to use a random MD5 hash based on the original filename + salt + timestamp.
move it to a public folder, ex: "c:/wamp/www/project_name/public/uploads"
Preferably use an MVC framework, such as Zend Framework, which includes filetype filtering.
If you do all of that, you should be secure. Obviously you'll never be 100% safe, since there are countless obscure exploits targeting PHP, MySQL, the command line, etc, particularly on older systems. On larger company webservers (what I work on), they disable everything, and selectively enable only what is required for the project. With a system such as WAMP, they enable everything, to ease local development.
Good practice for working on a professional project is to get a cloud server account with Rackspace or Amazon, and learn how to configure php.ini, and httpd.conf settings, as well as PHP security best practices. In general, do not trust the users input, expect it to be corrupt / malicious / malformed, and in the end you'll be secure.
First of all you need to understand what happens here:
test.xyz.php.whatever.zyx
Such a file on a webserver on it's own would do nothing. Only added configuration does tell Apache to execute PHP on that file.
So if you remove that added configuration, Apache won't care to find .php in there - be it at the very end or part of a stacked file-extension.
Check which handler you have set for php in your server configuration. Remove it for the upload directory. This then won't resolve any other configuration issues you might have with uploaded files, however PHP files aren't executed by PHP any longer then - which is what you want if I understood you right.
If you've got a problem to find out what this is about, you need to post your PHP configuration in your httpd.conf file and associated Apache HTTPD configuration files for your system.
The directive somebody told you for .htaccess:
php_flag engine off
does only work if you're running PHP as an apache SAPI module.
Instead of php_flag engine off you could remove the handler for PHP files using an .htaccess file for a single directory.
In the directory you are disabling PHP in, your .htaccess should include:
RemoveHandler .php .phtml .php3 .php4 .php5
RemoveType .php .phtml .php3 .php4 .php5
You can likely get away with the below however, depending on which AddHandler types you have configured in your default Apache configuration, which, on windows, should be in C:\Program Files\Apache<version>\conf\httpd.conf
RemoveHandler .php
RemoveType .php
You will also need to ensure that in your main apache configuration file, that the directory containing the .htaccess file is in, is covered by a Directory statement which has AllowOverride FileInfo set. You may wish to consider AllowOverride All if you will be using .htaccess files for other purposes - see the Apache documentation for AllowOverride for an explanation of the differences.
Personally, this is the main reason I no longer upload files to the web server under any circumstances. Instead, I use S3 / Amazon SDK to move the uploaded temp file directly to a bucket on S3 with Private permissions (I use S3, any other CDN will work just as well). If the file needs to be viewed or viewed by a web client, I use a "getter" function of sorts that integrates with the SDK to get the file and display it.
There are just so many uncontrollable variables that come into play whenever you allow any kind of file upload to a web server, it can be difficult to manage permissions, filtering, and even just space. With S3 (or any other CDN), that is all very easy to manage, and all files are effectively quarantined from the server by default.
On Apache you could disable all dynamic handlers for the directory that contains the untrusted files.
SetHandler default-handler
this is not really good answer but hope useful in some special cases ...
you can use mod_rewrite in .htaccess file like this :
RewriteRule ^(.+).xyz.php.whatever.zyx$ index.php?openfile=$1 [NC,L]
and inside your index.php file :
$file = secure_this_string($_GET['openfile']);
include($file.'.xyz.php.whatever.zyx'); # or some other files
remember to see this answer for security reasons StackOverFlow
and in test.xyz.php.whatever.zyx file :
<?php echo 'hello';
now if client requests /test.xyz.php.whatever.zyx file , out put should be 'hello'
A simple regex would do the job
<?php
$a = strtolower($_FILES["file"]["name"]);
$replace = array(".php", ".phtml", ".php3", ".php4", ".php5");
$_FILES["file"]["name"] = str_replace($replace, "", $a);
?>
This works fine on any server
The following .htaccess-code could work and deny access to files containing "php":
<FilesMatch "php">
Deny from all
</FilesMatch>
I could reproduce your issue quite easily on our server. There is a way to fix this, you need to edit /etc/mime.types and comment out lines
#application/x-httpd-php phtml pht php
#application/x-httpd-php-source phps
#application/x-httpd-php3 php3
#application/x-httpd-php3-preprocessed php3p
#application/x-httpd-php4 php4
#application/x-httpd-php5 php5
These lines cause anything with .php in name to be processed.
Once you comment out the entries in mime.types, mod_php config in /etc/apache2/mods-enabled/php5.conf has this entry which correctly only processes files ENDING with .php
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
What is REALLY SCARY is that this is a default config (Ubuntu 10.04 in our case).
EDIT
On Windows the mime.types file should be in apache_home/conf/mime.types
I am with new web host. The public_html folder of each domain I create is auto generated with an .htaccess that has the following line:
AddHandler php5-script .php
What is this for?
This just instructs PHP to handle files ending in .php by passing them to the PHP5 interpreter. Without this configuration in place, the web server may serve the files to the end-user's web browser as raw PHP code, rather than executing the code. That raises the dangerous possibility of exposing database login credentials or, or other secrets.
Using the same mechanism, you could configure the web server to parse files with other extensions besides .php as PHP scripts and hand them to the PHP interpreter. This is occasionally done to mask PHP scripts by naming them with .html extensions, for example.
# Interpret both .php & .html as PHP:
AddHandler php5-script .php .html
It tells php to handle any file with .php in the filename, even if it's not at the end. A file named smile.php.gif will be interpereted as a php file, which is bad if you are going to be using an upload script. This is because Apache allows multiple extensions in any order, so gif.php.jpg is the same as gif.jpg.php. I have heard the best way to select the handler is with FilesMatch. Of course if your web host has this in their httpd.conf you would have to 'remove' it using your htaccess before using the FilesMatch if you don't have access to httpd.conf.
The answer is that the htaccess tells the webserver to handle the php as php5-script and execute it.
Regarding the first answer, you will achieve your goal but it is a really bad practice and you should not allow html files to be executed as php due to huge security concerns.
Is there any drawback to this setup?
I want to be able to run PHP5 filters and functions. Will renaming a file to something.php5 allow me to do this?
My hosting provider suggested this instead of upgrading to PHP5.
The default is still php4 with registered_globals ON.
Changing the file extensions won't change the version of PHP that's installed on the server. If your host only has PHP4 then you can only use PHP4 unless they're willing to give you PHP5. The only way this will work is if your host already has PHP5 running and has it setup to only work with files that have the .php5 extension (this is an entirely possible scenario).
I'd say the first thing to do is to create a simple phpinfo file, like below, and name it with the .php5 extension and see what it says.
<?php
phpinfo();
?>
phpinfo() will give you the PHP version in big bold text at the top of the file. So if a file with .php says it's PHP 4.x and a .php5 file says its PHP 5.x, then your host has both installed on the server and is telling Apache to use PHP5 with .php5 files and PHP4 with .php files.
And on a side note if your host has register_globals turned on and they won't turn them off, I'd recommend putting the following in a .htaccess file at your document root.
php_flag register_globals off
Are you allowed to rewrite those settings per directory with a .htaccess file?
If you can, just ask you hosting provider how the setting is made and change it just for you. Something like
Action application/x-httpd-php /path/to/php5
I enabled PHP5 on my website and my webhost needs me to add the following to .htaccess files for PHP5 to work:
AddHandler application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
Locally, I am running XAMPP to develop code, but XAMPP does not want to work with the .htaccess file above.
I think it is an issue with XAMPP not recognizing php5 (but it does recognize php if I use "application/x-httpd-php" instead of "application/x-httpd-php5")
How do I resolve this?! I need the .htaccess files to look like above so they work with my webhost, but I need XAMPP to work locally with the same files without making changes!
Apache has <IfDefine> directive. You can use it to hide AddType from your own server:
<IfDefine !MyServer>
AddType application/x-httpd-php5 .php5 …
…
</IfDefine>
And start apache with
apachectl -D MyServer
So, you're in kind of a tough place; ideally speaking your webhost should not need you to put extra gunk in your htaccess files. Not knowing XAMPP too well, I can't offer a specific solution, but I can give you some pointers:
Your webhost is running a custom compiled version of PHP that uses application/x-httpd-php5; while it is totally possible to build PHP yourself or find a custom build that has the SAPI layer configured appropriately, you probably don't want to do this.
Depending on how much leeway your host is giving htaccess files, it may be possible to use <IfDefine> or <IfModule> to only conditionally execute the PHP fudge code. I haven't tested, and your webhost may have disabled this functionality. Also, you will have to find an appropriate conditional to test against.
My favorite answer would be to suck it up, and maintain separate htaccess files. I do this on my website; I have a .htaccess.in file which contains "global" declarations, and an htaccess.php file which generates the real .htaccess file based on configuration, etc.
Hope that helps.
Another simple solution: change the config file name at home. E.g. in httpd.conf:
<Directory />
#existing stuff here...
AccessFileName .htaccess.home
</Directory>
Now your home server will ignore your ".htaccess" files. You'll configure it with ".htaccess.home" files.