Tutorial :Hide *.inc.php from website visitors


I have a script myscript.inc.php which handles all urls that look like /script-blah I accomplish this by using following .htaccess

RewriteEngine On   RewriteRule ^script-(.*)$ myscript.inc.php?s=$1 [QSA,L]  

However users could also access it this way by typing /myscript.inc.php?s=blah I would like to prevent that. I tried

<Files ~ "\.inc\.php$">   Order deny,allow   Deny from all  </Files>  


RewriteCond %{REQUEST_URI} \.inc\.php  RewriteRule .* - [F,L,NS]  

They both prevent users from viewing /myscript.inc.php?s=blah but they also cause /script-blah to return 403...

Is there a way to do this correctly?


I use the following method to protect my .inc.php files. Add the following to your .htaccess:

#Prevent Users From Accessing .inc.php files in .htaccess  <Files ~ ".inc.php$">  Order allow,deny  Deny from all  </Files>  


You could also try the following (a number of open source packages do this)

  • place a blank index.html in every folder
  • use this rule in .htaccess to block folder reading Options -Indexes
  • place a line that dies scripts where a global constant isn't found

For example, here is Kohana's "toss out invalid accesses". It is the first line in all PHP files.

<?php defined('SYSPATH') or die('No direct script access.'); ?>  

This line basically says "if not included via index.php where SYSPATH is defined, we will abort script and show a friendly message"


You could redirect if it is a filename

RewriteCond %{REQUEST_FILENAME} =-f   

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »