1

How can I protect users not to upload php scripts ?

I put the below codes into .htaccess of ( /uploads/ ) folder.

<Files ^(*.php|*.phps)> order deny,allow deny from all </Files> <FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi.+)$"> ForceType text/plain </FilesMatch>

but i can still upload php files & php files are still executable. what's wrong with me or the codes ?

Improve this question
3
  • 2
    Are you worried about uploading files or just accessing them? Apache configs have nothing to do with your ability to upload a file. Commented Mar 25, 2013 at 4:09
  • Whitelist media files and then validate them with PHP. Commented Mar 25, 2013 at 4:09
  • check the file extension while uploading on server. nothing to do with .htaccess Commented Mar 25, 2013 at 4:10

1 Answer 1

Reset to default
0 
$allowed_ext = array("png","jpeg","gif"); $file_name = $_FILES['file']['name']; $file_ext = end(explode(".",$file_name)); if(in_array($file_ext,$allowed_ext)){ //uplod_here; } else{ //reject }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

messi fan thanks for the answer, what I'm searching is not the php solution. let say user(or)attacker could bypassed my /uploads/ folder and uploaded php script. but when they execute it, it won't do any action or it will be plain text. ( sorry for my Eng )

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.