People can't see the PHP source code because it is parsed on the server and only the resulting HTML is sent to the visitor's browser.

I know that! What I want is to stop them from even being able to get to the file. There must be a way to say '403' if someone tries to access the files

Ok i've found this (to put in htaccess):

<Directory inc/.*>
Deny from all
</Directory>

It's meant to stop any from accessing the directory inc/.... but it doesn't work and i don't know if it restricts people loading files.

The point is that if your server is configured correctly, any attempt to 'load' or 'download' that file will result in that file being executed on the server, and not downloaded.

If this is a file that is 'included' by another script, then you can place it in a Web-inaccessible directory, as you have arranged with the 'Deny from all' bit. Since a 'file include' is accomplished with a server-internal read, and 'Deny from all' affects only (externally-invoked) HTTP requests and not internal server operations, that should work.

We don't know what you do and don't know, so if you don't say it, then don't take offense if other members assume you don't know it, please.

> but it doesn't work

Please explain, in detail, what that means: How did you test? What were the results? How did those results differ from your expectations? Did you flush your browser cache before testing, so as to avoid getting a cached page instead of requesting a fresh copy from your server? The solution lies in the details.

Jim

The directory directive can't be used in .htaccess

Ok, I know that PHP is executed on the server, but, what I want to stop people doing all together is being able to type a PHP's file (in a certain dir) in the address box of their browser, and load it up. It'll still be parsed server side and an error will probably show, but how can I declare a 403 as soon as they access it instead of letting them access it and seeing the results of server-side parsing?

Eg, disallowing them to see what happens if they go to this file:

[lalala...] . something/inc/folder/a-non-public-php-file.php

Hence, disallowing direct access to the script from their browser.

Is there a sort of file directive that can work? Eg:

<Files *.inc.php>
Deny from all
</Files>

Another approach could be this:
-- at the top of the main php file, set a constant before doing the first include().
-- in the include file, start with a quick check like
"if that constant is not set then exit".
A visitor calling the bare include file will get a blank screen in this case. Additionally, a header 403 could easily be sent, too.

Kind regards,
R.

Yeah I had that idea, but .htaccess can automate this. Instead of me having to go into 50 odd files on about 12 sites, I had the impression that .htaccess could sort this!

In the .htaccess file in the inc directory add this:

<Limit GET POST>
order deny,allow
deny from all
</Limit>

That will stop requests for files as well as directory listings even if "Options +Indexes" is also in there. This will deny requests for ALL files, not just php files. If someone knows how to limit this to just certain file types from within the .htaccess file, do tell.

Also, if you have access to the standard apache config files, then much more can be done, but in a shared environment (like I have) this is not an option.

Yes I got that already, I'm going to try:

<Files *.php>
order deny,allow
deny from all
</Files>

I've come close, but what I've done is stop access to everything! Super lame! Here's the script, anyone care to debugg? PS this only works on Apache 2+. I don't think there's a way to do it on 1+.

<FilesMatch "\.(inc¦cfg¦pwd¦fcn¦rsrc¦tmp¦js¦css¦cron¦bck¦bld¦xml¦mnu)\.php$">
order deny,allow
deny from all
</FilesMatch>

Oh no, that works! Yay! Ok, here's a lowdown:

<FilesMatch "\.(inc¦cfg¦pwd¦fcn¦rsrc¦tmp¦js¦css¦cron¦bck¦bld¦xml¦mnu)\.php$">
order deny,allow
deny from all
</FilesMatch>

It only works on Apache 2. The pattern is set to stop people from accessing your php files anywhere under this .htaccess file and the pattern includes prefixes (that i use to differentiate php files from each other).

Pattern: \.(inc¦cfg¦pwd¦fcn¦rsrc¦tmp¦js¦css¦cron¦bck¦bld¦xml¦mnu)\.php$ > \. (dot for the extension) inc or cfg or ... (for prefix) \. (dot) php (obv) $ (end of string!)

Enjoy!