how to protect php file with .htaccess from downloading with php5 crashed

Question

Last night I made some admin changes to my webserver. I use php. The php processor failed after the update and if someone went to my homepage, the php page would simply download and show the proprietary code and password to anyone visiting. So I was wondering if there is a way to prevent any form of download for php files using .htaccess -- but still allow for normal viewing of the files.

Answer 1

A good pattern to follow during development is to use a minimal initialization file, which invokes the actual application which resides outside the webroot. That way only a minimal stub with no critical information is exposed in a case like this.

Simplified example:

/
  /app
    critical_code.php
  /webroot
    .htaccess   <- rewrites all requests to index.php
    index.php   <- invokes ../app/critical_code.php (or other files as requested)

Answer 2

The trouble here is that either .htaccess is serving your files to the user or it's not. You can't tell it to deny access to the .php files, because then access will be denied during normal use, as well. There is no fallback behavior for the PHP processor simply not running correctly.

Maybe it's worth temporarily moving the web root to point to an "under maintenance" site when doing big things like that, to minimize risk as much as possible.

Answer 3

Assuming you're using Apache, your .htaccess file would look something like this.

<FilesMatch ".*\.php">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
<IfModule php5_module>
    <FilesMatch ".*\.php">
        Allow from all
        Satisfy All
    </FilesMatch>
</IfModule>

The first rule denies access to all .php files. By default, the user will see a 403 (Forbidden) error.

If the PHP5 module successfully loads, the second rule will take affect, which grants access.