Question 8204 in PHP Versions Question posted in
You can find a list of all versions here.

Block direct access to .php files, less the index.php file and ajax.php file – PHP Versions

been looking for your help, i found a method, but it is not as i wish. if someone can help me.

What I want is that nobody can enter a direct URL with .php

example when I enter my domain.com/buy/product.php, I want it to be forbidden,

I was looking for information here, I found this code that worked for me but in .htaccess

RewriteEngine On

RewriteCond %{THE_REQUEST} "^.+? [^?]+.php(?:[?/# ]|$)" [NC]
RewriteRule !^index.php$ - [F,L,NC]

it worked fine for me, but the problem that I in a directory /include/ajax.php , I use an ajax. and it gives me error to execute the ajax by browsing.

Now what I’m thinking how to make it work with that htaccess code that you can enter the index.php and /include/ajax.php, I tried all means but it does not work for me.

In another case if you know any code to add to my php or how to do for my version which is version 7.3, but without ruining my code.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    After 2 days of looking for some code, I was able to read and understand. study how htaccess works.

    Thanks to the users who guided me, I found the solution. Although my title is not quite correct.

    My intention was always to block all .php that always the user wanted to enter directly by .PHP, I had found the code above, but it did not work with a specific file in the /include/ajax.php folder, exactly it was an ajax, I could not find solution.

    exactly it was an Ajax, I could not find the solution to make it work.

    Until I managed to solve this way.

    RewriteEngine on

RewriteCond %{THE_REQUEST} ajax.php [NC]
RewriteRule ^ - [NC,L]

RewriteCond %{THE_REQUEST} .+.php [NC]
RewriteRule ^ - [F,L]

    This causes all .php to be blocked, except the index.php and the /include/ajax.php file.

    This is how it worked for me. If I am right or wrong, can you give me some guidance.

    I leave this in case someone might find it useful in the future. I was always recommended to route my php, that I would forget about these problems.

    I will keep it in mind as I move forward in the future, to route my php.


  2. 0

    Rather than giving you the answer straight out, I’m going to give you some hints so that you aren’t copying code you don’t understand.

    Each RewriteRule has three parts:

    • the pattern to match against the URL sent by the browser
    • the URL to rewrite to
    • an optional set of flags for extra options

    Before each rule, you can optionally have one or more RewriteCond lines which apply extra conditions to the rule; each has three parts:

    • a variable to match against
    • the pattern to match
    • an optional set of flags for extra options

    The most important flag in this case is [F], short for [forbidden], which says "if the rule matches, instead of rewriting or redirecting, just server a 403 response.

    You should very rarely need to test against %{THE_REQUEST}, which is a raw version of the request line from the browser; much more often, you want %{REQUEST_URI} and/or %{QUERY_STRING}.

    The patterns in both RewriteRule and RewriteCond can be negated (i.e. "must not match this pattern") by starting them with !

    So, if you wanted to return a 403 for all URLs ending ".bad", except for URLs ending "not.bad" or "only-a-little.bad", you could write this (note that $ is the way to say "must end here" in the regex patterns):

    RewriteCond %{REQUEST_URI} !not.bad$
RewriteCond %{REQUEST_URI} !only-a-little.bad$
RewriteRule .bad$ - [F]

    Hopefully it should be straight-forward enough to see how to adapt that to your requirements.

    The full list of options and variables available is in the Apache manual.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search