Page 1 of 1

Blocking PHP on some folders

Posted: Mon Aug 31, 2009 10:58 pm
by asela_05085
hi,
I'm totally new to PHP. my requirement is as follows.
i need to know how to block saving PHP files in a specific folder (a folder where only xhtml/static files should reside) so someone else can't save a files with .php extension.But administer should be able to save and execute PHP files in that folder (on a Lnux server running Apache)
so my basic requirement is to block saving php files for some user group and allowing only administrator to save files with php extension.

pls help me on this since i have to implement this solution ASAP. :P

thanks

Re: Blocking PHP on some folders

Posted: Mon Aug 31, 2009 11:26 pm
by Benjamin
:arrow: Moved to PHP - Code

Re: Blocking PHP on some folders

Posted: Tue Sep 01, 2009 1:08 am
by requinix
That's a risky solution.

Just rename the file if an under-privileged user tries to upload a .php file.

Re: Blocking PHP on some folders

Posted: Tue Sep 01, 2009 1:31 am
by asela_05085
hi,

i have to do it automatically. check whether using is inserting a php file and block it.
I'm not too clear with the rename option

asela

Re: Blocking PHP on some folders

Posted: Tue Sep 01, 2009 1:34 am
by requinix
Somehow you're moving the file from the temporary location to the permanent location. To do that you have to provide the name of the file.

Instead of using the file name as they provided it, if the extension is "php" use something else. Or abort the entire upload.

Re: Blocking PHP on some folders

Posted: Tue Sep 01, 2009 1:44 am
by asela_05085
is there a way to abort only php extension. users(developers) are uploading the files from ftp tools to my server. i need them not allow to upload php files

Re: Blocking PHP on some folders

Posted: Tue Sep 01, 2009 1:57 am
by Benjamin
The correct solution is to configure the FTP server to save the files without execute permissions, and to ensure that Apache will not execute scripts in files that are not executable. This still opens the door to all sorts of confusion and unseen risks. Realistically, any executable PHP files should be located in a separate directory.