Tell Apache whether or not to execute PHP on requests

Question

I am using PHP with Apache and wonder if there is a way to indicate from the client side that the requested PHP file shouldn't be executed/parsed. By standard, I want all PHP files to be executed when requested, but I want a way to indicate from the client side that the file should not be executed.

A nice solution would be to supply an extra header in the request using JavaScript and then write some code in a .htaccess file to check if the header is present, and if it is tell apache to not execute the file and just serve it as text.

Using GET parameters or something else would also be okay.

Is this possible? If so, how?

Answer 1

You can also set a handler in the .htaccess file (or server configuration as well):

<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
    Require all granted
</FilesMatch>

Then you need to set a symlink to the php file, on linux systems:

ln -s filename.php filename.phps

You will get syntax highlighted source when requesting filename.phps .

Require all granted is the syntax in Apache 2.4. Older versions use Allow from all and Deny from none .

Answer 2

Can your PHP files have one extra line?

Line 1: <?php include('viewAsSource.php'); ?> <?php include('viewAsSource.php'); ?>

viewAsSource.php:

<?php
if(isset($_GET['src'])) {
    $self = $_SERVER['SCRIPT_FILENAME'];
    $lines = file($self);

    $output = '';
    foreach ($lines as $line) {
        $output .= nl2br(htmlspecialchars($line));
    }
    echo $output;
}

That way, if they request "sample.php" they get the parsed version, but if they request "sample.php?src" they get the source code?

Answer 3

supply an extra header in the request [using JavaScript] and then write some code in a .htaccess file to check if the header is present

You could get Apache to check for this (secret) header and internally rewrite the request to a viewAsSource.php -type file that then reads the REQUEST_URI (or a passed query string parameter) and returns the file source instead. Similar to @LucasKrupinski suggestion, except you don't need to include anything in the PHP file itself.

For example, in your root .htaccess file:

RewriteEngine On

# Block direct access to any file in the /tools directory
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^tools/ - [F]

# Display PHP source...
RewriteCond %{HTTP:X-Action} ^display-source$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (.+\.php)$ tools/display-source.php?url=$1 [L]

For all .php requests this checks for the X-Action HTTP request header having a value of "display-source" and that the requested file exists. If these conditions are met then the request is internally written to a /tools/display-source.php script, passing the URL in the url parameter. You could instead check the $_SERVER['REQUEST_URI'] superglobal, but note that this also includes any query string that is passed on the request.

Then, in display-source.php , something like:

<?php
$url = isset($_GET['url']) ? $_GET['url'] : null;
if (isset($url)) {
    $file = $_SERVER['DOCUMENT_ROOT].'/'.$url;
    // Validate $file....
    // :
    highlight_file($file);
}