blocks|key|1263556|text|尝试禁用.htaccess文件中的engine+option：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1263557|php_flag+engine+off|code-block|syntax|javascript|1263558|entityMap|0|LINK|mutability|MUTABLE|url|http://docs.php.net/manual/en/apache.configuration.php#ini.engine^0|H|6|H|D|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@$9|T|A|U|B|C]]|D|@$9|V|A|W|1|X]]|E|$]]|$1|F|3|G|5|H|7|Y|8|@]|D|@]|E|$I|J]]|$1|K|3|-4|5|6|7|Z|8|@]|D|@]|E|$]]]|L|$M|$5|N|O|P|E|$Q|R]]]]

Try to disable the <a href="http://docs.php.net/manual/en/apache.configuration.php#ini.engine" rel="noreferrer"><code>engine</code> option</a> in your .htaccess file:

<pre><code>php_flag engine off
</code></pre>

blocks|key|1478176|text|<Directory+/your/directorypath/>
+++++php_admin_value+engine+Off
</Directory>|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|1478177|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>&lt;Directory /your/directorypath/&gt;
 php_admin_value engine Off
&lt;/Directory&gt;
</code></pre>

blocks|key|1478222|text|这些答案对我都不起作用(要么生成500错误，要么什么都不做)。这可能是因为我在托管服务器上工作，在该服务器上我无法访问Apache配置。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1478223|但这对我很有效：|1478224|RewriteRule+%5E.*\.php$+-+[F,L]|offset|length|style|CODE|1478225|对于任何以.php结尾并位于此子目录中的URL，此行都将生成403禁止的错误。|1478226|多亏了他，@Oussama指引我找到了正确的方向here。|1478227|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/users/1566232/oussama|1|https://stackoverflow.com/questions/11950049/disable-a-file-execution-inside-a-folder-htaccess-rule#answer-11950430^0|0|0|0|T|0|5|4|0|5|8|0|O|4|1|0^^$0|@$1|2|3|4|5|6|7|X|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Y|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Z|8|@$F|10|G|11|H|I]]|9|@]|A|$]]|$1|J|3|K|5|6|7|12|8|@$F|13|G|14|H|I]]|9|@]|A|$]]|$1|L|3|M|5|6|7|15|8|@]|9|@$F|16|G|17|1|18]|$F|19|G|1A|1|1B]]|A|$]]|$1|N|3|-4|5|6|7|1C|8|@]|9|@]|A|$]]]|O|$P|$5|Q|R|S|A|$T|U]]|V|$5|Q|R|S|A|$T|W]]]]

None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.

But this worked for me : 

<code>RewriteRule ^.*\.php$ - [F,L]</code>

This line will generate a 403 Forbidden error for any URL that ends with <code>.php</code> and ends up in this subdirectory.

<a href="https://stackoverflow.com/users/1566232/oussama">@Oussama</a> lead me to the right direction <a href="https://stackoverflow.com/questions/11950049/disable-a-file-execution-inside-a-folder-htaccess-rule#answer-11950430">here</a>, thanks to him.

blocks|key|1263495|text|这可能有些夸大其词--但要小心做任何依赖于PHP文件的扩展名为.php的事情--如果有人后来添加了.php4甚至.html的处理程序，以便由PHP来处理它们怎么办。您最好从Apache或其他只提供静态内容的Apache实例中提供这些目录中的文件。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1263496|entityMap^0|V|4|1D|5|1K|5|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]|$9|K|A|L|B|C]|$9|M|A|N|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|O|8|@]|D|@]|E|$]]]|G|$]]

This might be overkill - but be careful doing anything which relies on the extension of PHP files being <code>.php</code> - what if someone comes along later and adds handlers for <code>.php4</code> or even <code>.html</code> so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.

blocks|key|1478299|text|在生产环境中，我更喜欢将请求重定向到应该禁用.php处理的目录下的PHP文件，重定向到主页或404页面。这不会暴露任何源代码(为什么搜索引擎要索引上传的恶意代码？)对于访客，甚至是试图利用这些东西的邪恶黑客来说，它看起来更友好。此外，它也可以在任何上下文中实现-+vhost或.htaccess。如下所示：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1478300|<DirectoryMatch+"%5E${docroot}/(image%7Ccache%7Cupload)/">
++++<FilesMatch+"\.php$">
++++++++#+use+one+of+the+redirections
++++++++#RedirectMatch+temp+"(.*)"+"http://${servername}/404/"
++++++++RedirectMatch+temp+"(.*)"+"http://${servername}"
++++</FilesMatch>
</DirectoryMatch>|code-block|syntax|javascript|1478301|根据需要调整指令。|1478302|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:

<pre><code>&lt;DirectoryMatch "^${docroot}/(image|cache|upload)/"&gt;
 &lt;FilesMatch "\.php$"&gt;
 # use one of the redirections
 #RedirectMatch temp "(.*)" "http://${servername}/404/"
 RedirectMatch temp "(.*)" "http://${servername}"
 &lt;/FilesMatch&gt;
&lt;/DirectoryMatch&gt;
</code></pre>

Adjust the directives as you need.

blocks|key|1478355|text|我在Centos+6.10中对虚拟主机.conf定义文件中的多个文件夹使用：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1478356|<DirectoryMatch+%5E/var/www/mysite/htdocs/(nophpexecutefolder1%7Cnophpexecutefolder2)>
+++++++php_admin_value+engine+Off
</DirectoryMatch>|code-block|syntax|javascript|1478357|然而，即使它没有像通常那样解析php代码，它仍然可以从.php输出变量声明和文本等内容，例如在进行回显时。|1478358|<?php

echo+"PHP+CODE+EXECUTED!!";

$a=1;
$b=2;

echo+$a%2B$b;|1478359|以上内容是在web浏览器中生成的吗？|1478360|PHP+CODE+EXECUTED!!";+$a=1;+$b=2;+echo+$a%2B$b;|1478361|这可能会将一些不理想的代码暴露给用户。|1478362|因此，在.htaccess中最好结合使用上面的代码和下面的代码：|1478363|<FilesMatch+".*.(php%7Cphp3%7Cphp4%7Cphp5%7Cphp6%7Cphp7%7Cphp8%7Cphps%7Cpl%7Cpy%7Cpyc%7Cpyo%7Cjsp%7Casp%7Chtm%7Chtml%7Cshtml%7Cphtml%7Csh%7Ccgi)$">
+Order+Deny,Allow
+Deny+from+all
++#IPs+to+allow+access+to+the+above+extensions+in+current+folder
++#+Allow+from+XXX.XXX.XXX.XXX/32+XXX.XXX.XXX.XXX/32
</FilesMatch>|1478364|以上将阻止访问上述任何文件扩展名，但将允许以常规方式访问其他扩展名，如图像、css等。访问.php时出现错误：|1478365|Forbidden

You+don't+have+permission+to+access+/nophpexecutefolder1/somefile.php+on+this+server.|1478366|entityMap^0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|10|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|11|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|12|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|13|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|14|8|@]|9|@]|A|$]]|$1|M|3|N|5|D|7|15|8|@]|9|@]|A|$E|F]]|$1|O|3|P|5|6|7|16|8|@]|9|@]|A|$]]|$1|Q|3|R|5|6|7|17|8|@]|9|@]|A|$]]|$1|S|3|T|5|D|7|18|8|@]|9|@]|A|$E|F]]|$1|U|3|V|5|6|7|19|8|@]|9|@]|A|$]]|$1|W|3|X|5|D|7|1A|8|@]|9|@]|A|$E|F]]|$1|Y|3|-4|5|6|7|1B|8|@]|9|@]|A|$]]]|Z|$]]

I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<pre><code>&lt;DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)&gt;
 php_admin_value engine Off
&lt;/DirectoryMatch&gt;
</code></pre>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<pre><code>&lt;?php

echo &quot;&lt;strong&gt;PHP CODE EXECUTED!!&quot;;

$a=1;
$b=2;

echo $a+$b;
</code></pre>
The above produces in web browser?
<pre><code>PHP CODE EXECUTED!!&quot;; $a=1; $b=2; echo $a+$b;
</code></pre>
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<pre><code>&lt;FilesMatch &quot;.*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$&quot;&gt;
 Order Deny,Allow
 Deny from all
 #IPs to allow access to the above extensions in current folder
 # Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
&lt;/FilesMatch&gt;
</code></pre>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
<pre><code>Forbidden

You don't have permission to access /nophpexecutefolder1/somefile.php on this server.
</code></pre>

blocks|key|1263790|text|<Files+*.php>
++++Order+deny,Allow
++++Deny+from+all
</Files>|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|1263791|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>&lt;Files *.php&gt;
 Order deny,Allow
 Deny from all
&lt;/Files&gt;
</code></pre>

I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:

<pre><code>-/USERS
 -/DEMO1
 -/DEMO2
 -/DEMO3
 -/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
</code></pre>

Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS

Can this be done (and how :) )? Thanks in advance.

BTW, I use WAMP server

Disable PHP in directory (including all sub-directories) with .htaccess

虚拟主机

服务器

我正在制作一个网站，允许人们上传文件，html页面，等等。现在我遇到了一个问题。我有一个这样的目录结构：-/USERS    -/DEMO1    -/DEMO2    -/DEMO3    -/etc... (every user has his own direcory here)-index.php-control_panel.php-.htaccess现在我想禁用PHP，但在/USERS内

问使用.htaccess禁用目录(包括所有子目录)中的PHP
EN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用.htaccess禁用目录(包括所有子目录)中的PHPEN

回答 7

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用.htaccess禁用目录(包括所有子目录)中的PHP
EN