up vote100down votefavorite
33

Here is the scenario:

  • There is a index.php file in root folder
  • some files are included in index.php which are in the includes folder.
  • 1 other file (submit.php) is in the root folder for form submit action.

I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file. Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).

    
shareimprove this question
 
up vote209down voteaccepted

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

shareimprove this answer
 
4 
Will other file be able to make ajax request to the file present in that folder? – Chaitanya Chandurkar Apr 2 '13 at 13:22
13 
@ChaitanyaChandurkar No, an ajax request is a normal http request so that will be denied. – jeroen Apr 2 '13 at 13:38
   
Sr b/c I new web programming. How can I add an exception for access to my file index.php? – PhatHV Aug 27 '15 at 2:12
   
How can I display the image present into this folder using URL? – Vikas Khunteta Dec 11 '15 at 20:07
   
I used deny from all and it restricted every url..not even showing login page.. :( – Aamir Jun 21 '16 at 6:34
up vote40down vote

This is pure mod_rewrite based solution:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php

shareimprove this answer
 
2 
Good job addressing the submit file – CTS_AE Nov 12 '14 at 2:55
up vote13down vote

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>
shareimprove this answer
 
3 
I am not sure about the one who posted the question whether his problem solved or not, but this is the beauty of SO that multiple answer can help lots of members. This last answer resolved my issue. I want to let sites get css file but no access to ttf or otf fonts, and boom! resolved. – Moxet Khan Jun 27 '16 at 6:09
   
after this i am not abel to access files in subfolders – Gintare Statkute May 24 at 13:31
up vote8down vote

If I understand correctly you just want to deny access to the includes folder?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

shareimprove this answer
 
up vote8down vote

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.

However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

If this is true then you can't use anubhava's part II as this will cause your form to fail. What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:

RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php   [NC]
RewriteRule ^submit\.php$    -                                   [F]

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

shareimprove this answer
 
up vote8down vote

1 liner mod_alias based solution :

RedirectMatch 403 ^/folder/file.php$

This will show forbidden error for /folder/file.php

shareimprove this answer
 
1 
+1 - This is actually very good, because no one can even see which files exist if you apply 404 to an entire folder, using regex ^folder. – bytecode77 Jun 21 '16 at 19:08
up vote4down vote

Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

Satisfy all
Order deny,allow
Deny from all

I ran into this when the upper directory defined basic authentication including the line:

Satisfy any

This was preventing my deny from all to take effect because the users were authenticated.

shareimprove this answer
 

来自 https://stackoverflow.com/questions/9282124/deny-direct-access-to-a-folder-and-file-by-htaccess

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •