Deny access to all PHP files in a directory using .htaccess

6
votes

I'm attempting to deny access to anyone surfing for PHP files in a specific directory:

example.com/inc/

I've created an example.com/inc/.htaccess file with the contents:

Order deny,allow
Deny from all

This results in a 403 Forbidden response when I try to access one of the files. For example: example.com/inc/file.php

The problem is, my web server is also denied access and my application stops working.

How can I deny access to people surfing for such PHP files but allow my shared web server access?

Note: I'm using GoDaddy shared hosting.

4
phpapache.htaccess
How is your web server "also denied access"? That is an apache directive. Unless you were including files to your other scripts via http this shouldn't be an issue. PHP works on the file system which means it ignores apache directives/rules. Another option (and usually preferred) is to just move the directory you don't to allow access outside of the web root. Then php can't be run from that directory but other scripts have access to the files for includes and such.Jonathan Kuhn
There is no difference between someone trying to access file.php and your web server accessing file.php. HTTP_REFERER can be used probably but that is a very weak check.anubhava
Possible duplicate : stackoverflow.com/questions/409496/…vard
@anubhava Is there a reason why your web server would ever need to access another file on the web server via http through apache?Jonathan Kuhn
Web server needs to access is actually a confusing term as every access to file.php is via site's webserver only. Probably OP meant that there is some link to file.php on the website.anubhava

4 Answers

7
votes

I would would just use a rule and block the access that is entered by the user. This will block any php file that is entered.

RewriteEngine On
RewriteRule ^.*\.php$ - [F,L,NC]

Edit based on your comment. Try this way.

<Files (file|class)\.php>
order allow,deny
deny from all
allow from 127.0.0.1
allow from 192.168.0.1
</Files>

Replace 192.168.0.1 with your server IP address.

2
votes

Use proper directory structure put your files to lib/ directory for example and include them from file which is not present in this directory. This is how common frameworks works.

You can even map your url to web/ directory and put lib one directory up then you are sure that there is no access to your .php file but only index.php and assets.

You can read how it is solved for example in Symfony2 http://symfony.com/doc/current/quick_tour/the_architecture.html it'll give you some clues.

1
votes

To block navigation access to all files ending in .php you can use:

RedirectMatch 403 ^.*\.php$
1
votes

To only deny access to php files you can use this:

<Files *.php>
order allow,deny
deny from all
</Files>