Deny Direct Access to All .PHP Files Except Index.PHP

Deny access to all .php files except root index.php

You cannot do it with <FilesMatch or <Files> directive alone: you need to combine them with <Directory. For example:

<Directory /var/www>
  <FilesMatch "\.php$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>
  <FilesMatch "^index\.php$">
    Order Allow,Deny
    Allow from all
  </FilesMatch>
</Directory>

<Directory /var/www/*>
  <FilesMatch "\.php$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>
</Directory>

The catch here is that you should edit httpd.conf or similar files, as <Directory> directive cannot be used in .htaccess.

If you can't update .conf files and .htaccess is the only way around, you would have to copy the shown rule in each directory's .htaccess, I suppose. Whether or not it's better than using if(defined(...)) trick, is up to you.

deny access to all files accept the index.php and the domain name with .htaccess

You can actually just make the filename optional in the regex (you don't need to use mod_rewrite). For example:

Order deny,allow
Deny from all
<FilesMatch "^(index\.php)?$">
    Allow from all
</FilesMatch>

This will allow direct requests to index.php and also requests for the directory (no filename) ...which results in index.php (the DirectoryIndex) being served by mod_dir via an internal subrequest (which occurs later).

Note that you can't simply permit an empty filename (ie. "^$"). Whilst this allows the initial request for the bare directory, it will result in the internal subrequest for the DirectoryIndex, ie. index.php being blocked - so ultimately the request is blocked.

Note also that this allows access to all index.php files in all subdirectories and all directories that contain an index.php index document.

However, if you are on Apache 2.4 then you should be using Require instead, since Order, Deny and Allow are all deprecated on Apache 2.4.

Require all denied
<FilesMatch "^(index\.php)?$">
    Require all granted
</FilesMatch>

UPDATE: My website is a single page application has just an index.php page controls all of my website with jquery ajax request, so i want when the user writed any other links accept my domain name accept the domain name the htaccess will redirect the user to the domain name

It sounds like you need to implement a front-controller pattern. The simplest form is using the FallbackResource directive. For example:

FallbackResource /index.php

Any requests that would otherwise result in a 404 are routed to /index.php. Any static resources (CSS, JS, images etc.) remain accessible and are not routed to /index.php.

Deny access to all files in a directory unless a specific php page is referrer

Try something like this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !request_file.php
RewriteRule ^uploads/downloads/ - [L,R=404]

htaccess - disallow direct access to all files except logged in users (PHP)

You cannot do this with .htaccess alone. What you need to do is:

  1. Deny file access from all
  2. Have a "file provider" script which allows file passthrough after authentication.

Example:

proxy.php

<?php 
$proxiedDirectory = "./files/"; //Whatever the directory you blocked access to is.
$filename = isset($_GET["fn"])?$_GET["fn"]:null;

if (!user_is_authenticated()) { //Not a real method, use your own check
    http_response_code(403);
    exit;
}

if ($filename === null || !file_exists($proxiedDirectory.$filename)) {
    http_response_code(404);
    exit;
}



$fp = fopen($proxiedDirectory.$filename, 'rb');

header("Content-Type: image/???"); //May need to determine mime type somehow
header("Content-Length: " . filesize($proxiedDirectory.$filename));

fpassthru($fp);
exit;

And you'd use this via:

http://example.com/proxy.php?fn=filename.txt

How to block access to all .php except index.php in root folder (via .htaccess)?

In .htaccess:

RewriteEngine on
RewriteRule ^/application - [F]

The [F] option instructs it to issue a 403 Forbidden response on all matching URLs.

Or add a separate .htaccess file in /application containing just:

deny from all

Or in your Apache vhost definition:

<Location /application>
  deny from all
</Location>

Related Topics

Laravel 5 Failed Opening Required Bootstrap/../Vendor/Autoload.PHP

How to Write a Rest API

Remove Warning Messages in PHP

How to Get First 5 Characters from String

Redirecting to Previous Page After Login - PHP

Why Is Pdo Better For Escaping MySQL Queries/Querystrings Than MySQL_Real_Escape_String

Storing PHP Arrays in Cookies

PHP Curl Error Code 60

PHP Oop Core Framework

PHP Background Processes

How to Get Enum Possible Values in a MySQL Database

Laravel Update Model With Unique Validation Rule For Attribute

How to Store File Name in Database, With Other Info While Uploading Image to Server Using PHP

How to Best Store User Information and User Login and Password

PHP - Redirect and Send Data Via Post

How to Know Which 'PHP.Ini' File Is Used

Add 'Watermark' to Images With PHP

Convert Time and Date from One Time Zone to Another in PHP


Leave a reply



Submit