So, ok. I have many php files and one index.php file. All files can't work without index.php file, because I include them in index.php. For example. if somebody click Contact us the URL will become smth like index.php?id=contact and I use $_GET['id'] to include contacts.php file. But, if somebody find the file's path, for example /system/files/contacts.php I don't want that that file would be executed. So, I figured out that I can add before including any files in index.php line like this $check_hacker = 1 and use if in every files beginning like this if($check_hacker <> 1) die();. So, how can I do it without opening all files and adding this line to each of them? Is it possible? Because I actually have many .php files. And maybe there is other way to do disable watching separate file? Any ideas? Thank you.
You could put your index.php alone in your web directory. And put all the files it includes in another non web directory.
Let's say you website http://www.example.com/index.php is in fact /path/to/your/home/www/index.php, you can put contact.php in /path/to/your/home/includes/contact.php. No .htaccess, rewrite, auto appending. Just a good file structure and a server configured like needed.
Edit to detail my comment about using xamp :
In your httpd.conf file, add something like this :
<Directory "/path/to/your/site/root">
Options Indexes FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
<VirtualHost *:80>
DocumentRoot /path/to/your/site/root
ServerName www.example.org
</VirtualHost>
Then in your windows hosts file (in C:\Windows\System32\drivers\etc), add this line :
127.0.0.1 www.example.com
I would highly recommend to use the .htaccess file to rejects all requests for files diffrent to index.php but I am not quite sure how to do that propperly.
This might work (can't test it now) but it will also block requests to css, js and so on:
order deny,allow
<FilesMatch "\.php">
deny from all
</FilesMatch>
<FilesMatch "(index.php)">
allow from all
</FilesMatch>
If someone knows the right solution, please edit my answer.
You might check this question: Deny direct access to all .php files except index.php
So you might have a FilesMatch only for php files in addition to the index.php rule.
EDIT: The new version of the code seems to work.
In response to Kau-Boy:
Place all your php files (except index.php) in a new directory and put the .htaccess file with the following contents:
deny from all
Make sure you don't put any images/css/jscript resources in this directory, because they will be blocked as well.
I'd use mod_rewrite in this case (if you are using Apache). It's much cleaner solution than writing gazillions of useless ifs in PHP.
This way, if someone wanted to "hack it" and tried /system/files/contacts.php, it'd redirect them to index.php?id=contact or whatever other site.
In your php.ini or in you htaccess set the following variable:
auto_prepend_file="[path to some .php file]"
This will include a header file of your choice that will be included before all php scripts on the system.
The php.ini directive auto_append_file, will create a footer that is included at the end of all PHP files on the system.
Check out the technique at http://www.electrictoolbox.com/php-automatically-append-prepend/
RewriteCond %{REQUEST_URI} system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
Will redirect any attempt to system folder back to root!
Related
I have read through almost every post regarding this issue, and nothing seems to work.
I have successfully rewritten the below code, and it works just fine. The .htaccess file is in the /~user/business/ folder. I use RewriteRule ^index/([0-9]+)/?$ /index.php?id=$1 [QSA,PT] while accessing http://localhost/~user/business/index/155/. However, when I try to get the variable in php, it returns nothing. The rewrite works as it does load index.php, but no get variables at all.
My main goal, I want to access the id from the code above, but nothing shows up. <?php echo $_GET['id']; ?> Even when I try this print_r($_GET); the array of all get variables, it returns an empty array. I also do not want to append the query to the end of url at all.
Lots of posts have answers that work according to responses, and even when I copy them word for word, letter for letter, changing the directories and addresses, nothing seems to work.
I am using Apache 2, set up on a MAC as localhost. Is there something wrong, maybe in the php.ini file?
After many times trying, as much as reconfiguring the entire virtual host setup on my mac, I realized that it was a very simple error once I realized it, and it had nothing at all to do with my .htaccess file.
My file name was index.php and my rewrite was RewriteRule ^index/([a-zA-Z0-9_-]+)/ index.php?id=$1 [NC,L] and for some reason, it will not let me use ^index if there is a file called index.php. I can name ^index to ^page or ^blue or anything else but not ^index and it will work fine.
What I realized was that my /index.php page can be loaded simply by typing /index. And therefore, was not actually a redirect, it was the stand alone page.
In order to fix this I had to add a few lines of code to my vhost.conf or my user.conf file under <Directory "/Users/User/Sites"> file using the terminal.
sudo nano /private/etc/apache2/extra/httpd-vhosts.conf
and in this, the code I had to removed MultiViews from the options.
<Directory "/Users/User/Sites">
Options Indexes FollowSymLinks SymLinksifOwnerMatch MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
so it now looks like this
<Directory "/Users/User/Sites">
Options Indexes FollowSymLinks SymLinksifOwnerMatch
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Once I did so, /index.php page can no longer be loaded by typing /index. And therefore, I could use the code I originally used in my .htaccess file. And all is solved in paradise. It took a lot of very hard digging and one major headache.
Thanks for your help guys.
Ok so I've recently installed to test Orbis CMS, and I love it, except two things - this being one of them.
Test page 'page.php' worked fine, great! Incorporated it into an existing html page and that's where I ran into the issue. Duhr, it won't run the php snippits.
Quick Google shed light that I needed to add a piece of code into the .htaccess file to allow the html file(s) to run the php code. Tried it, and nothing, didn't work, at all. Was going off this link (provided by Orbis) here: http://php.about.com/od/advancedphp/p/html_php.htm
When I did it for all pages it started doing funky stuff and asking me to download/open pages when I clicked the links throughout the site, but not every link.. ?? When I did it for the single test page it didn't work full stop.
Anyone got any ideas?
Cheers.
Why don't you just rename the .htm file to .php ? You can have normal HTML in PHP files aswell, just outside of the <?php ?>Tags.
.htaccess has to be allowed from your hoster, so that might be the reason why it didn't work.
EDIT: Then just replace the .htm File with a redirection to your .php file.
You can achieve this by <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com/yourfile.php">
Or if the .htaccess is run by the webserver you can do a redirect there:
Redirect /youroldsite.htm yournewsite.php (would be the better version)
You need to change your .html to .php.
as you mentioned that .htaccess is not working check these thing it may help you
Is .htaccess enabled?
It's unusual, but possible that .htaccess is not enabled on your site. If you are hosting it yourself, it's easy enough to fix; open your httpd.conf in a text editor, and locate this section
Your DocumentRoot may be different, of course
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/htdocs">
#
locate the line that reads..
AllowOverride None
and change it to..
AllowOverride All
Restart Apache. Now .htaccess will work. You can also make this change inside a virtual host, which would normally be preferable.
If your site is hosted with someone else, check your control panel (Plesk. CPanel, etc.) to see if you can enable it there, and if not, contact your hosting admins. Perhaps they don't allow this. In which case, switch to a better web host.
and also check that rewrite_module is marked
Rename your Files to .php or change your server configuration to recognize .htm files as PHP files, too.
Example (httpd.conf):
<IfModule php5_module>
AddType application/x-httpd-php .php .htm .html
</IfModule>
As an alternative you could setup mod_rewrite to route to your php file on specific URLs.
You need to change your .html to .php. You mentioned you need to keep the link equity from other sites to your .html pages. To get around this, simply add a 301 redirect in your .htaccess file.
//301 Redirect
Redirect 301 oldfile.html newfile.php
I read here lot of answers about protecting a file on apache server, some told htaccess is only for deny user access for files. For me not..
Using the following lines I cant reach the xml, BUT my php script also can't!
<Files sample.xml>
Order allow,deny
Deny from all
</Files>
So how to protect a file from users, so that my php script could access it. The file is in the root dir.
If you are on a linux server, have a shell access to it, you change your file permissions to
chmod 0700 yourxmlfile.xml # this will make it readable/writable/executable only by the creator of the file.
or in your .htaccess file, you can do this:
RewriteEngine on
RewriteRule ^yourfile.xml$ 404.html
where your 404.html could be either a page not found page or any garbage page, which will display as invalid url.
If by users you mean people accessing your website from outside, you have several solutions:
The best way would be to move it out of the web root (if you can). That will surely protect it from outside access.
If you can't put file outside the web root, use a htaccess to protect the file by allowing access from the local machine only :
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
I also suggest putting it in a protected subfolder where you could store all your private files.
You can also redirect the user to a 404 page by adding the code below to your .htaccess:
RewriteEngine On
RewriteRule ^(.*)your_file(.*)\.xml$ [R=404,L]
On .htaccess how would I be able to disallow PHP files from accessing anything outside their directory, without using open_basebdir()?
Basically I'm going to generate .htaccess files into some dynamically created sub directories that cannot interact outside of themselves.
EDIT: Sorry I meant accessing, not moving.
.htaccess files are for Apache, not PHP.
What you want to do sounds more like the job of a VirtualHost.
php doesn't even know about the existence of your .htaccess files, so they can't avoid any script from moving any file
Something like this?
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from #Root dir of your php file
</FilesMatch>
I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
Can this be done (and if so, how)?
I use WAMP server
Try to disable the engine option in your .htaccess file:
php_flag engine off
To disable all access to sub dirs (safest) use:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Location to match php files (I prefer the above files approach)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>
If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
RemoveHandler .php
or
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
Edit
Lance Rushing's solution of just denying access to the files is probably better
<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>
This will display the source code instead of executing it:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
WARNING !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
This method should be avoided! (you have been warned. Left it here for educational purposes)
None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
But this worked for me :
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.
#Oussama lead me to the right direction here, thanks to him.
If you use php-fpm, the php_admin_value will NOT work and gives an Internal Server Error.
Instead use this in your .htaccess. It disables the parser in that folder and all subfolders:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.
On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.
I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)>
php_admin_value engine Off
</DirectoryMatch>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<?php
echo "<strong>PHP CODE EXECUTED!!";
$a=1;
$b=2;
echo $a+$b;
The above produces in web browser?
PHP CODE EXECUTED!!"; $a=1; $b=2; echo $a+$b;
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<FilesMatch ".*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$">
Order Deny,Allow
Deny from all
#IPs to allow access to the above extensions in current folder
# Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
</FilesMatch>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
Forbidden
You don't have permission to access /nophpexecutefolder1/somefile.php on this server.
<Files *.php>
Order deny,Allow
Deny from all
</Files>