I made a basic PHP upload system in order to allow file uploads to my server. The only problem I run into is that I want to be able to upload .php files (and other possible files that are executed by the webserver before being sent to the client), but those files should not be executed, for the obvious reasons.

I assume this should be possible trough the .htaccess file, but I have no idea how. Any suggestions?

6 Years
Discussion Span
Last Post by Lapixx

You have a few options:

1.) You can upload the files outside of the document root which will make them unaccessible via url. But, if you offer downloads you will have to do it via a php script.

2.) You can use a .htaccess file with a FileMatch directive to disable all access to .php files.

<FilesMatch "\.(php)$">
Order allow,deny
Deny from all



The problem is that the file still needs to be accessible, i.e. I want the user to be able to upload PHP files and such, it's just that the file should not be executed (since that's not really secure).

I've looked into PHP force downloads scripts before, but it looks more neat (to me) to just offer the downloads trough the normal location of the file.


Using this line in your .htaccess fill will remove the type handler for the php files and they will be served by default as HTML to the user. So like text files, clicking the link will open the file instead of sending it to the php interpreter.

RemoveType .php .php3 .php4 .php5

That's just what I needed, thanks! Is there any way to check what types have been set? Or to remove *all* types at once?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.