PHP: allowing upload of .php files for users, how do I prevent them from running?
Question
I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading too?
I'm thinking .htaccess but I'd need to generate one for each new subdirectory (I think), would I need to scrap my current code and use a .php file to send headers to force DL on the file instead of running?
What do you think is an easy and safe solution for this? It just uploads to a subdirectory like uploads/~foo/bar.html or something, it looks nice that way so it'd be nice if it can stay like that format.
2 answers
solution1
0 ACCPTED 2010-06-19 09:36:28
Put this in uploads/.htaccess :
RemoveType application/x-httpd-php .php
This will work for all subfolders. Also make sure you don't parse .htaccess in the users folders. This can be done by AllowOverride None in the main server config, or it can be done by not allowing uploads of .htaccess files in the first place.
solution2
0 2010-06-19 09:39:03
If for example these uploaded files are in the directory "uploads" and subdirectories of it:
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.