Results 1 to 2 of 2

Thread: Deny user access to .php files, but allow script access

  1. #1
    Join Date
    Jul 2010
    Thanked 0 Times in 0 Posts

    Default Deny user access to .php files, but allow script access


    Im currently using mod_rewrite to direct all requests to my main index.php file. This file then pulls stuff from a DB and displays content based on the URI the user entered.

    This allows me to have URIs like:

    The main index.php file includes a number of .php files to help make up each page (like 'header.php' and 'footer.php').

    All these included .php files are in a subdirectory 'pages'.

    This all works great so far; but I've discovered an issue; someone can go to one of the include files (i.e '').

    I'd like to stop people getting access to any files within the 'pages' directory or indeed any request that contains '.php'.

    After a load of Googling I've tried various bits of code to attain this, for example:

    <Files ~ "\.php$">
    Order allow,deny
    Deny from all
    However, this then prevents my actual script from including the .php files aswell.

    So what Id like to do is allow my main index.php script to include whatever it wants, but stop users from accessing the 'raw' .php files as it were.

    The .htaccess file so far:

    Options +FollowSymLinks
    RewriteEngine on
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript
    FileETag none
    RewriteCond %{http_host} ^ [NC]
    RewriteRule ^(.*)$$1 [R=301,L] 
    RewriteRule ^index.htm$ [R=301,L]
    RewriteRule ^([^\.]+)/?$ index.php [L]
    Any suggestions are much appreciated!


  2. #2
    Join Date
    Mar 2006
    Illinois, USA
    Thanked 690 Times in 678 Posts


    I'm not an expert with mod_rewrite, but I've been doing similar things lately.

    I wrote a tutorial here:

    That's a way to do exactly what you want: use a single page to serve all pages on the server, or within a certain folder.

    You could do several other things too. Here are some ideas/notes:
    1. You are using full URLs. I don't think that's the best way since it may not then be transparent. Instead, use URIs relative to your server root. See my tutorial for an example. Basically instead of, use only /.
    2. You can create a new .htaccess file inside /pages, and within that you can just deny every request, and send them either to a 404 page or to your main index page.
    3. You can make "*.php" a redirect condition and also a !/index.php condition. That way if it's a .php page but not your index, it will be redirected. For the exact syntax on this, try some google searches. I'm not sure exactly how to write it. You may also have to use trial and error to figure out the relative ordering of the rules. But also, are you sure you want to (always?) have a single .php page? Would it not be better to just block access to your /pages directory as above? That's probably easier too.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts