[英]How to stop direct execution of a php page using htaccess rules?

In my .htaccess file I have defined the following rule to make my register page URL as http://example.com/register/


RewriteRule register/ /register.php

The above rule is perfectly fine but I can access my register page from http://example.com/register/ as well as from http://example.com/register.php.


I don't want that user will be able to access the URL from http://example.com/register.php URL, is there any RULE which I can define in .htaccess to stop execution of register.php URL or simply redirect any direct register.php request to /register/

我不希望該用戶能夠訪問http://example.com/register.php URL中的URL,是否有我可以在.htaccess中定義的RULE來停止執行register.php URL或只是重定向任何直接register.php請求/ register /

6 个解决方案


If you are doing this to avoid getting multiple links to the same content, you can simply don't use "register.php" anywhere on your page. I think no search engine will "guess" for a certain file type and if there are no security concerns you are on the safe side, because in my opinion no user will link to this file either. However if you want to be certain just reroute all your functionality through an index.php via one line in your .htaccess which should be placed inside your www-root directory:


RewriteEngine on
RewriteRule ^(.*?)$ index.php?file=$1

In your index.php you can then simply choose which function/file to invoke by breaking down and checking the $_GET["file"] parameter. To make 100% certain no one can access your register.php file directly just move it (and all your others) to a separate directory and include a .htaccess file with the following line:

在index.php中,您可以通過分解並檢查$ _GET [“file”]參數來簡單地選擇要調用的函數/文件。要100%確定沒有人可以直接訪問您的register.php文件,只需將它(以及所有其他人)移動到一個單獨的目錄,並包含一個.htaccess文件,其中包含以下行:

DENY from all 

There are a couple of other options to prevent direct access. Just define() a variable somewhere in your index.php and at the top of your register.php just put


defined('access') or die('Intruder alert!');

at the top. Another way could be to be honest and simply tell search engines that your content has been moved and that they no longer should use the old link:


header("Status: 301"); /* Content moved permanently */
header("Location: http://yourserver/Register/");


Just one more thing that crossed my mind, you can also check $_SERVER["REQUEST_URI"], whether the user attached any ".php" and act accordingly by either denying access completely or just redirecting to the new location.

還有一件事在我腦海中浮現,您還可以檢查$ _SERVER [“REQUEST_URI”],無論用戶是否附加任何“.php”並通過完全拒絕訪問或僅重定向到新位置來采取相應行動。


It is true that you cannot use location directive, but you can actually paste .htaccess file into any directory.


Just if you put this into it, say:


Options -Indexes
order   allow,deny
deny    from all

you can copy paste this file into any (root) directory you want to protect from external execution.



To check the initial requested URL path, you need to use the request line. So try this rule:


RewriteCond %{THE_REQUEST} ^GET\ /[^?\s]+\.php[/?\s]
RewriteRule (.+)\.php$ /$1 [L,R=301]

And then again your rule (in a slightly modified way):


RewriteRule ^register/$ register.php


Try this.

RewriteCond %{REQUEST_FILENAME} ^register\.php$ [NC]
RewriteRule ^/register register.php

Or this

Redirect register.php /register


Ignoring the user-experience part, you can implement the new rel=canonical link to sort out the search engines.

忽略用戶體驗部分,您可以實現新的rel = canonical鏈接來整理搜索引擎。

Although, for this case you should probably just use a 301 redirect from /register.php to /register/

雖然,對於這種情況,您應該只使用/register.php中的301重定向到/ register /

In register.php

if ( stristr( $_SERVER['REQUEST_URI'], '.php' ) )
    header ('HTTP/1.1 301 Moved Permanently');
    header ('Location: /register');


If you want to completely block /register.php by using mod_rewrite, use a variant of SleepyCod's answer:


RewriteCond %{REQUEST_FILENAME} register\.php [NC]
RewriteCond %{IS_SUBREQ} false
RewriteRule .* - [F,L]


  • [NC]: Makes the condition case-insensitive, just in case you're on a windows box.
  • [NC]:使條件不區分大小寫,以防您在Windows框中。

  • Condition 1: The requested filename is 'register.php', and
  • 條件1:請求的文件名是'register.php',和

  • Condition 2: The request is no subrequest (this is important, since every new round through RewriteRules actually creates subrequests).
  • 條件2:請求不是子請求(這很重要,因為通過RewriteRules的每個新輪實際上都會創建子請求)。

  • Rule: essentially do nothing
  • 規則:基本上什么都不做

  • Flags: [F]: Send an 403 Forbidden header, [L]: This is the last rule to apply, skip all following rewrite rules
  • 標志:[F]:發送403 Forbidden標頭,[L]:這是要應用的最后一條規則,跳過所有后續重寫規則

Rewriting correctly is an art by itself. I suggest you carefully read http://httpd.apache.org/docs/2.2/rewrite/.





粤ICP备14056181号  © 2014-2021 ITdaan.com