8 Years
Discussion Span
Last Post by Atli


If you want to completely deny access to all files in a directory, you can create a .htaccess file containing only

Deny from all

That will block all access to it.

If you just want to block access to some files, you can use a regular expression:

<Files ~ "^.*\.sql$">
 Order deny,allow
 Deny from all

This one would block access to all .sql files.

Edited by Atli: Forgot the $ in the regexp... no really important but, hey :-]


will I be able still to access them in my scripts?
I want to be able to, yet no one can access them on his browser (while he is trying to hack?)


Yes, this only limits access through the HTTP server, so access by server-side scripts will not be affected.

You can also be more specific in who you block.
For instance, this would block access to all PHP files, except for computers on a typical LAN and the localhost:

<Files ~ "^.*\.php$">
    order deny,allow
    deny from all
    allow from 192.168.0
    allow from

Like say, if you have shared resources that need to be available to the network, but hidden from the outside.


Ok Im about to do the actual job. I want to protect two folders, one is includes and the other is admin. How do I actually do it.
All files in includes starts with inc (like inc.mydb.php) and in admin they begin with admin (like admin.myadmin.php) except for index.php in admin folder.

Also I have folder editor which have my editor. I want to protect it too. So far I have created index.php and added a line to redirect to parent index file and die. Any suggestio/direction is welcomed!


There are several ways to choose from in this situation.

A passive way to deny access to both folders would be to put a .htaccess in the root of the main project and use the RewriteMatch directive. That would allow you to simply redirect anybody who tries to access anything in either of your protected directories to a location of your choosing.

RedirectMatch 301 /(includes|admin)/.* /

That redirects anybody from those directories over to the root of your project.

Or, you could go a more aggressive way and simply deny them access, returning a 403 "Forbidden" error. This is the same thing I posted earlier, which requires a separate .htaccess file into the target directory.

deny from all

That would deny all files in the directory.

If you want it more targeted, like just blocking admin.myadmin.php , you could do:

<Files ~ "^admin\..*\.php$">
    order deny,allow
    deny from all

Hope that helps.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.