Home » Php » apache – Disabling download of php files if PHP is not installed

apache – Disabling download of php files if PHP is not installed

Posted by: admin July 12, 2020 Leave a comment

Questions:

My university has multiple servers which have the same data mirrored across them, so I can access for instance

foo.uni.edu/file.php
bar.uni.edu/file.php

The thing is, not all servers have PHP installed, so anyone could possibly download my php files if they made the connection through a server which didn’t have PHP installed.
Is there a way, possibly with .htaccess to avoid this? As in, only allow opening PHP files if PHP server is installed?

How to&Answers:

If it’s possible to store files outside of the document root, you could work around the problem by storing all sensitive data outside the docroot. You would then have your publicly accessible scripts use include to access those files.

So, if you upload to /username/public_html, and public_html is your document root (eg, foo.uni.edu/file.php is /username/public_html/file.php), then you would upload to /username/file.php instead and place another script in /username/public_html which merely contains something like include('../file.php');

This is good practice in any case, in case a configuration error on the server ever stops PHP from being parsed.

You could also try using IfModule and FilesMatch to deny access to PHP files if mod_php isn’t enabled:

<IfModule !mod_php.c>
    <FilesMatch "\.php$">
        Order Deny,Allow
        Deny from All
    </FilesMatch>
</IfModule>

If this doesn’t work, try !mod_php5.c instead.