security - How to prevent PHP files from being downloaded? And what are some ways someone can download them?

Question

Welcome To Ask or Share your Answers For Others

security - How to prevent PHP files from being downloaded? And what are some ways someone can download them?

1 Reply

深蓝 · Answer 1 · 2021-10-17T00:34:49+0000

You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:

<?php
readfile($_GET['file']);
?>

If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:

# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
    <FilesMatch ".(php|phtml)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
    AddType text/html .php .phtml .phps
    AddHandler application/x-httpd-php .php .phtml
    AddHandler application/x-httpd-php-source .phps
</IfModule>

Categories

security - How to prevent PHP files from being downloaded? And what are some ways someone can download them?

security - How to prevent PHP files from being downloaded? And what are some ways someone can download them?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags