If you have a directory which users can upload files into it’s a good idea for security reasons to disable server-side parsing of scripts such as PHP. This post shows a couple of options using Apache’s .htaccess files.
RemoveHandler and RemoveType
The handlers for PHP are added using AddType in the Apache configuration, and should be able to be removed in a .htaccess file like so (adding whatever additional extensions you need):
RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3
However this doesn’t seem to work for me. I don’t know why. If anyone has any ideas please leave your thoughts in the comments section below.
php_flag engine off
Another way to disable PHP in a .htaccess file is by adding a line like this:
php_flag engine off
This method did work for me when I tested it.
I assume this will still invoke the PHP handler which will then not parse the script when it knows what various PHP settings are enabled and disabled. Note that when PHP is disabled then the end user will get the source code of the PHP script in their browser.
To be on the safe side
Just to be certain that PHP isn’t parsed in the selected directory, and given RemoveHandler and RemoveType didn’t seem to work for me, it may be best to add all three lines like so:
RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off
