1 Replies - 4554 Views - Last Post: 29 September 2013 - 03:19 PM

#1 mutago234   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 260
  • Joined: 08-September 13

Preventing execution of php files embed on image

Posted 29 September 2013 - 02:35 PM

I have written a well working script to allow upload of php files.

Now if by paraventure, the applications was by passed. how can someone prevents directory execution of php files assuming you do not want to upload the files out side the root. Okay in this context I tried using .htaccess files to allow only certain Image extension name and also prevents of php code execution.

I added the following

// prevent direct execution of files in the /upload

 AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .rb .vb .js .aspx .php3 .php4 .phtml
Options -ExecCGI

//allow  only jpg,gif,png

deny from all

<Files ~ "^\w+\.(gif|jpe?g|png)$">

order deny,allow

allow from all


// turn off php engine so thst php code embeded on image will not execute

php_flag engine off

// prevent execution of any files in that directory be it perl,php,asp etc

<Files >

deny from all


My question is that my server runs SUPHP and not MOD_PHP. Now since SUphp does not work as apache module(mod_php), Can php_flag works with suphp for .htaccess or httpd.conf files configurations.

Thank you.

This post has been edited by Atli: 29 September 2013 - 03:15 PM
Reason for edit:: Use [code] tags when posting code.

Is This A Good Question/Topic? 0
  • +

Replies To: Preventing execution of php files embed on image

#2 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Preventing execution of php files embed on image

Posted 29 September 2013 - 03:19 PM

Moved to the Web Servers and Hosting forum. This question, and question such as these, although loosely related to PHP, don't really involve PHP coding. These revolve around Apache and it's modules, and as such should rather be posted here.

Also, please use [code] tags when posing code, and other such content, including Apache configuration files. Any sort of pre-formatted text is best posted in [code] tags. Much easier to read that way.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1