I made a basic PHP upload system in order to allow file uploads to my server. The only problem I run into is that I want to be able to upload .php files (and other possible files that are executed by the webserver before being sent to the client), but those files should not be executed, for the obvious reasons.

I assume this should be possible trough the .htaccess file, but I have no idea how. Any suggestions?

Recommended Answers

All 4 Replies

You have a few options:

1.) You can upload the files outside of the document root which will make them unaccessible via url. But, if you offer downloads you will have to do it via a php script.

2.) You can use a .htaccess file with a FileMatch directive to disable all access to .php files.

<FilesMatch "\.(php)$">
Order allow,deny
Deny from all


The problem is that the file still needs to be accessible, i.e. I want the user to be able to upload PHP files and such, it's just that the file should not be executed (since that's not really secure).

I've looked into PHP force downloads scripts before, but it looks more neat (to me) to just offer the downloads trough the normal location of the file.

Using this line in your .htaccess fill will remove the type handler for the php files and they will be served by default as HTML to the user. So like text files, clicking the link will open the file instead of sending it to the php interpreter.

RemoveType .php .php3 .php4 .php5

That's just what I needed, thanks! Is there any way to check what types have been set? Or to remove *all* types at once?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.