GetSimple Support Forum
protect direct access to php files using mod rewrite - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: Developer Discussions (http://get-simple.info/forums/forumdisplay.php?fid=8)
+--- Thread: protect direct access to php files using mod rewrite (/showthread.php?tid=1123)



protect direct access to php files using mod rewrite - yojoe - 2010-11-15

It's currently possible to find out if a certain php file exist, regardless of the output.
What I'd like to point, is that it would be great to prevent direct access to php files using mod rewrite. 2 simple rules would allow only to access index.php

Code:
<FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
<FilesMatch "index\.php$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

The problem is that this solution cuts out the ability to administrate the website, because menu links in admin panel point directly to .php files.

Adding exceptions to allow rule makes it unusable.
Would you consider to change a little bit backend, to include admin php files rather than loading them directly, so htaccess could prevent direct access to all php files except index.php ?


protect direct access to php files using mod rewrite - herb - 2010-11-21

How about a constant set early in index.php, then have every other file check for constant before execution?


protect direct access to php files using mod rewrite - Zegnåt - 2010-11-21

herb Wrote:How about a constant set early in index.php, then have every other file check for constant before execution?
We’re doing that already. PHP files that should not be accessed directly but only through an include will die() before executing anything. But yojoe wants to make the server block those files in a way so no PHP needs to run at all.