been looking for your help, i found a method, but it is not as i wish. if someone can help me.
What I want is that nobody can enter a direct URL with .php
example when I enter my domain.com/buy/product.php, I want it to be forbidden,
I was looking for information here, I found this code that worked for me but in .htaccess
RewriteEngine On
RewriteCond %{THE_REQUEST} "^.+? [^?]+.php(?:[?/# ]|$)" [NC]
RewriteRule !^index.php$ - [F,L,NC]
it worked fine for me, but the problem that I in a directory /include/ajax.php , I use an ajax. and it gives me error to execute the ajax by browsing.
Now what I’m thinking how to make it work with that htaccess code that you can enter the index.php and /include/ajax.php, I tried all means but it does not work for me.
In another case if you know any code to add to my php or how to do for my version which is version 7.3, but without ruining my code.
2
Answers
After 2 days of looking for some code, I was able to read and understand. study how htaccess works.
Thanks to the users who guided me, I found the solution. Although my title is not quite correct.
My intention was always to block all .php that always the user wanted to enter directly by .PHP, I had found the code above, but it did not work with a specific file in the /include/ajax.php folder, exactly it was an ajax, I could not find solution.
exactly it was an Ajax, I could not find the solution to make it work.
Until I managed to solve this way.
This causes all .php to be blocked, except the index.php and the /include/ajax.php file.
This is how it worked for me. If I am right or wrong, can you give me some guidance.
I leave this in case someone might find it useful in the future. I was always recommended to route my php, that I would forget about these problems.
I will keep it in mind as I move forward in the future, to route my php.
Rather than giving you the answer straight out, I’m going to give you some hints so that you aren’t copying code you don’t understand.
Each
RewriteRule
has three parts:Before each rule, you can optionally have one or more
RewriteCond
lines which apply extra conditions to the rule; each has three parts:The most important flag in this case is
[F]
, short for[forbidden]
, which says "if the rule matches, instead of rewriting or redirecting, just server a 403 response.You should very rarely need to test against
%{THE_REQUEST}
, which is a raw version of the request line from the browser; much more often, you want%{REQUEST_URI}
and/or%{QUERY_STRING}
.The patterns in both
RewriteRule
andRewriteCond
can be negated (i.e. "must not match this pattern") by starting them with!
So, if you wanted to return a 403 for all URLs ending ".bad", except for URLs ending "not.bad" or "only-a-little.bad", you could write this (note that
$
is the way to say "must end here" in the regex patterns):Hopefully it should be straight-forward enough to see how to adapt that to your requirements.
The full list of options and variables available is in the Apache manual.