2 Replies - 3814 Views - Last Post: 22 September 2013 - 04:00 PM

#1 mutago234  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 166
  • Joined: 08-September 13

Securing PHP files using .htaccess

Posted 22 September 2013 - 02:22 PM

Securing PHP files using .htaccess

I try securing php file using .htaccess
I will need corrections if there is anything am doing wrong


1: prevent direct access to .php files
solution
a: remove your files from document root and place it outside the document
root. It's the safest method. Leave only your main controller script inside the root.eg index.php
b: in .htaccess add 404 page and try following...

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /[^?\ ]*\.php[/?\ ]
RewriteRule .*\.php$ 404.php [L]




2: prevent direct access to php include files

<?php
if(!defined('MyConst')) {
die('Direct access not permitted');
}
?>

then on the pages that include it i added

<?php
define('MyConst', TRUE);
?>



3: To prevent Apache from exposing the source code if Apache Configuration is messed up;

I added the codes below to .htaccess file. Should I also add it to httpd.config files

# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
<FilesMatch "\.(php|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
</IfModule>



4: Securing directories by Removing the ability to execute scripts.
At .htaccess files I added the code below


AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI


5: to prevent other users resident in your server from accessing
your application.


I added this codes to all php page files:

PHP Code:
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');

and by renaming config.php file to something else.


6: To Prevent access to .htaccess and .htpasswd files

I added this below to .htaccess files

<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>




Can someone points out what am doing wrong and its posssible solutions in the above
security implementations.

Is This A Good Question/Topic? 0
  • +

Replies To: Securing PHP files using .htaccess

#2 andrewsw  Icon User is online

  • It's just been revoked!
  • member icon

Reputation: 3615
  • View blog
  • Posts: 12,441
  • Joined: 12-December 12

Re: Securing PHP files using .htaccess

Posted 22 September 2013 - 03:51 PM

View Postmutago234, on 22 September 2013 - 09:22 PM, said:

Can someone points out what am doing wrong and its posssible solutions in the above
security implementations.

I won't be able to help you with this myself but, for anyone else reading, how do you know that it's wrong? Have you performed some tests that failed? In which case, describe what isn't working: this will make it easier for someone to advise you.
Was This Post Helpful? 0
  • +
  • -

#3 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5363
  • View blog
  • Posts: 27,325
  • Joined: 10-May 07

Re: Securing PHP files using .htaccess

Posted 22 September 2013 - 04:00 PM

.htaccess is not part of php, moving to web servers & hosting.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1