Hide *.inc.php from website visitors

Question

I have a script myscript.inc.php which handles all urls that look like /script-blah I accomplish this by using following .htaccess

RewriteEngine On 
RewriteRule ^script-(.*)$ myscript.inc.php?s=$1 [QSA,L]

However users could also access it this way by typing /myscript.inc.php?s=blah I would like to prevent that. I tried

<Files ~ "\.inc\.php$">
 Order deny,allow
 Deny from all
</Files>

and

RewriteCond %{REQUEST_URI} \.inc\.php
RewriteRule .* - [F,L,NS]

They both prevent users from viewing /myscript.inc.php?s=blah but they also cause /script-blah to return 403...

Is there a way to do this correctly?

Answer 1

While not directly addressing your question, this may help:

The best practice would be to place the php files outside of the public web root.

For example, if your items live in:

/blah/public_html/

Then place your php files outside of the web root at:

/blah/

Answer 2

You could also try the following (a number of open source packages do this)

• place a blank index.html in every folder
• use this rule in .htaccess to block folder reading Options -Indexes
• place a line that dies scripts where a global constant isn't found

For example, here is Kohana's "toss out invalid accesses". It is the first line in all PHP files.

<?php defined('SYSPATH') or die('No direct script access.'); ?>

This line basically says "if not included via index.php where SYSPATH is defined, we will abort script and show a friendly message"

Answer 3

You could redirect if it is a filename

RewriteCond %{REQUEST_FILENAME} =-f