拒绝直接访问除 index.php 之外的所有 .php 文件 [英] Deny direct access to all .php files except index.php

问题描述

我想拒绝对所有 .php 文件的直接访问，除了一个:index.php

I want to deny direct access to all .php files except one: index.php

对其他 .php 文件的唯一访问应该是通过 php include.

The only access to the other .php files should be through php include.

如果可能，我希望所有文件都在同一个文件夹中.

If possible I want all files in the same folder.

更新:

一般规则会很好，所以我不需要浏览所有文件.风险是我忘记了文件或行.

A general rule would be nice, so I don't need to go through all files. The risk is that I forget a file or line.

更新 2:

index.php 在文件夹 www.myadress.com/myfolder/index.php

我想拒绝访问 myfolder 中的所有 .php 文件和该文件夹的子文件夹.

I want to deny access to all .php files in myfolder and subfolders to that folder.

推荐答案

您确定要这样做吗?甚至 css 和 js 文件和图像和...?

Are you sure, you want to do that? Even css and js files and images and ...?

好的，首先检查apache中是否安装了mod_access，然后将以下内容添加到您的.htaccess中:

OK, first check if mod_access in installed to apache, then add the following to your .htaccess:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>

第一个指令禁止访问除本地主机以外的任何文件，因为Order Deny,Allow，Allow 稍后应用，第二个指令只影响 index.php.

The first directive forbids access to any files except from localhost, because of Order Deny,Allow, Allow gets applied later, the second directive only affects index.php.

警告:订单行中逗号后没有空格.

Caveat: No space after the comma in the Order line.

要允许访问匹配 *.css 或 *.js 的文件，请使用以下指令:

To allow access to files matching *.css or *.js use this directive:

<FilesMatch ".*.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

但是，您不能在 .htaccess 文件中使用 或 指令.

You cannot use directives for <Location> or <Directory> inside .htaccess files, though.

您的选择是在第一个允许、拒绝组周围使用 ，然后明确允许访问 index.php.

Your option would be to use <FilesMatch ".*.php$"> around the first allow,deny group and then explicitely allow access to index.php.

Apache 2.4 更新:这个答案对于 Apache 2.2 是正确的.在 Apache 2.4 中，访问控制范式发生了变化，正确的语法是使用 Require all denied.

Update for Apache 2.4: This answer is correct for Apache 2.2. In Apache 2.4 the access control paradigm has changed, and the correct syntax is to use Require all denied.

这篇关于拒绝直接访问除 index.php 之外的所有 .php 文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！