.htaccess php_flag engine off does not work. Or i do not understand how it works

Question

For example directory named test placed .htacess with the only code in the first line php_flag engine off

In directory test placed file test.php with this code echo 1+3;

And in another file (main.php) placed include("test.php");

Open main.php and see 4 (result of 1+3).

Added AddType text/plain .php .phtml .php3. The same result.

I expected because of php_flag engine off code in test.php would not execute.

What need to do to prevent to execute code in test.php?

Trying to prevent situation when hacker in images directory somehow uploads php file, then either directly access to the file or includes the file in another file.

Measures:

1) Created multiple validations to check if uploaded file is image and does not contains some php code.

2) Disabled direct access to images directory (in htaccess)

3) To be quite sure that hacker could not include uploaded php file in a file in another directory, as understand must set read only to all directories, except images directory

Answer 1

The .htaccess directives are only relevant to Apache when processing the request. It will prevent Apache from directly executing the test.php file (or rather, it will prevent PHP from doing anything when Apache invokes it). However, if Apache is executing a script in some other folder, then you have a running PHP instance. This instance can do whatever it wants. It will not interpret any further .htaccess files or regard any php_flag directives, since those only apply before PHP was started. Once it's running it's running.

.htaccess files are only interpreted by Apache as follows:

• given path is /foo/bar/test.php
• Apache checks if /.htaccess exists, applies its rules if so
• Apache checks if /foo/.htaccess exists, applies its rules if so
• Apache checks if /foo/bar/.htaccess exists, applies its rules if so

PHP on the other hand just directly includes foo/bar/test.php, it doesn't look for or interpret .htaccess files.