我想防止人们使用.htaccess直接访问我的php页面

Question

I have a site that is made up of php pages, but they are served to the user through includes based on what I think they need. if they can guess the name of a php file, they can access those pages. while this is not a security risk at all, i would rather have a way to catch this and redirect them to somewhere else.

i really want everything to go through the index page unless it is a file that exists (exeption being for any file ending with .php).

I tried this, didnt work:

RewriteEngine on
RewriteCond %{REQUEST_URI} !(.*\.php$) [NC]
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule .* /n/index.php [NC]

Answer 1

也许您可以将php文件放在网络路径之外的目录中？

Answer 2

One way to handle this would be to define a constant in the page doing the including:

define("access", "legitimate");

Then at the start of each included file:

if(!defined('access')){
    header("Location:index.php");
    die(); // make sure to call die() or the rest of the page will be parsed
}

This is the way many frameworks and CMS handle this issue (off the top of my head, Joomla! and CodeIgniter) - you don't need to mess about with .htaccess, and it will also work across various hosting platforms.

Answer 3

I think something like this will work for you:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
RewriteRule \.php$ index.php [L]

Answer 4

RewriteEngine on
RewriteCond %{REQUEST_URI} .*\.php$ [NC]
RewriteRule !^index\.php$ error.php

This works for me, and looks like it should do what you want. Putting the scripts you don't want direct access to outside of the web path is the better answer though - it doesn't require special rules (that may later break and require changing) nor extensions.