I want to prevent people from accessing my php pages directly using .htaccess

Question

I have a site that is made up of php pages, but they are served to the user through includes based on what I think they need. if they can guess the name of a php file, they can access those pages. while this is not a security risk at all, i would rather have a way to catch this and redirect them to somewhere else.

i really want everything to go through the index page unless it is a file that exists (exeption being for any file ending with .php).

I tried this, didnt work:

RewriteEngine on
RewriteCond %{REQUEST_URI} !(.*\.php$) [NC]
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteRule .* /n/index.php [NC]

Answer 1

One way to handle this would be to define a constant in the page doing the including:

define("access", "legitimate");

Then at the start of each included file:

if(!defined('access')){
    header("Location:index.php");
    die(); // make sure to call die() or the rest of the page will be parsed
}

This is the way many frameworks and CMS handle this issue (off the top of my head, Joomla! and CodeIgniter) - you don't need to mess about with .htaccess, and it will also work across various hosting platforms.

Answer 2

See http://stackoverflow.com/questions/2652701/url-rewriting-index-php/2652841#2652841

Answer 3

Maybe you can put the php files in a directory outside the web path?

Answer 4

I think something like this will work for you:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
RewriteRule \.php$ index.php [L]

Answer 5

RewriteEngine on
RewriteCond %{REQUEST_URI} .*\.php$ [NC]
RewriteRule !^index\.php$ error.php

This works for me, and looks like it should do what you want. Putting the scripts you don't want direct access to outside of the web path is the better answer though - it doesn't require special rules (that may later break and require changing) nor extensions.