CODEWITHSUNDEEP
apache
grizwako
grizwako

Reputation: 1563

How to prevent uploaded file from being executed?

How can i prevent uploaded file from being executed? For example, someone could upload php file and use it to hack site, i want to prevent it.

Best that way that i know is using directory permissions, and set it to 666?

Is there some htaccess magic that i can do?

Upvotes: 8

Views: 3137

Answers (2)

Juanma Rodríguez
Juanma Rodríguez

Reputation: 331

Permissions will not work if you modify them using FTP client and your server scripts are not using the same user/permissions (normal WordPress scenario).

If you want to avoid it with .htaccess, this may help.

Tested in Litespeed server version 5.4.10

<Files *.php>
deny from all
</Files>

<Files *.*>
deny from all
</Files>

<Files myfile.php>
deny from all
</Files>

Upvotes: 2

user703016
user703016

Reputation: 37975

You can just put a .htaccess in your upload folder with the following line :

php_flag engine off

It will disable PHP execution in this directory.

Edited to answer comments : chmod 666 does not prevent PHP execution. It simply marks files as non-executable so you can't run them directly as scripts or binaries. PHP does not care about the permissions of the file, as long as it is readable, it will get parsed and executed by the engine.

So if your server has multiple engines (PHP, Jelly, whatever) you will have to manually build a configuration file that will prevent files within a folder from being interpreted. You could make a script that would generate that file based on what engines are installed on the machine.

Upvotes: 7

Related Questions