Disable PHP in a directory with Apache .htaccessDisable PHP in a directory with Apache .htaccess

Posted March 29th, 2010 in Apache and PHP

If you have a directory which users can upload files into it's a good idea for security reasons to disable server-side parsing of scripts such as PHP. This post shows a couple of options using Apache's .htaccess files.

RemoveHandler and RemoveType

The handlers for PHP are added using AddType in the Apache configuration, and should be able to be removed in a .htaccess file like so (adding whatever additional extensions you need):

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3

However this doesn't seem to work for me. I don't know why. If anyone has any ideas please leave your thoughts in the comments section below.

php_flag engine off

Another way to disable PHP in a .htaccess file is by adding a line like this:

php_flag engine off

This method did work for me when I tested it.

I assume this will still invoke the PHP handler which will then not parse the script when it knows what various PHP settings are enabled and disabled. Note that when PHP is disabled then the end user will get the source code of the PHP script in their browser.

To be on the safe side

Just to be certain that PHP isn't parsed in the selected directory, and given RemoveHandler and RemoveType didn't seem to work for me, it may be best to add all three lines like so:

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

Related posts:

Comments

blog comments powered by Disqus