'How to disallow the execution of PHP files in a specific directory?
I noticed huge bug on a server which allows to upload any file (including *.php) and then execute it! It's terrible! I don't know whether I should prevent uploading *.php files or disable their execution in php.ini (which I don't know how to do)
Solution 1:[1]
You can put your uploaded files outside the web root.
Also, you can set IIS to deny uploading PHP files: IIS 8.5 deny PHP upload
Also, you can set the upload folder's permission to disallow executing files inside it.
Also, you can check the files which are being uploaded for their type: http://php.net/manual/ro/function.mime-content-type.php
You can also set the permission to read/write, but not to execute.
Solution 2:[2]
If you are using apache, create a .htaccess file in the folder and write the below code
<Files *.php>
deny from all
</Files>
Then save the file. This can prevent execution of PHP files in the folder
Solution 3:[3]
If you uses Apache server, try to place into target directory file .htaccess containing string php_flag engine off. This will block execution of any file as php script for this directory and all subdirectories. Also prevent uploading any file with filename starting with "."
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Lajos Arpad |
| Solution 2 | jai3232 |
| Solution 3 | undrown |