如何使用htaccess規則停止直接執行php頁面?

[英]How to stop direct execution of a php page using htaccess rules?


In my .htaccess file I have defined the following rule to make my register page URL as http://example.com/register/

在我的.htaccess文件中,我定義了以下規則,使我的注冊頁面URL為http://example.com/register/

RewriteRule register/ /register.php

The above rule is perfectly fine but I can access my register page from http://example.com/register/ as well as from http://example.com/register.php.

上面的規則非常好,但我可以從http://example.com/register/以及http://example.com/register.php訪問我的注冊頁面。

I don't want that user will be able to access the URL from http://example.com/register.php URL, is there any RULE which I can define in .htaccess to stop execution of register.php URL or simply redirect any direct register.php request to /register/

我不希望該用戶能夠訪問http://example.com/register.php URL中的URL,是否有我可以在.htaccess中定義的RULE來停止執行register.php URL或只是重定向任何直接register.php請求/ register /

6 个解决方案

#1


If you are doing this to avoid getting multiple links to the same content, you can simply don't use "register.php" anywhere on your page. I think no search engine will "guess" for a certain file type and if there are no security concerns you are on the safe side, because in my opinion no user will link to this file either. However if you want to be certain just reroute all your functionality through an index.php via one line in your .htaccess which should be placed inside your www-root directory:

如果您這樣做是為了避免獲得相同內容的多個鏈接,您可以在頁面的任何位置使用“register.php”。我認為沒有搜索引擎會“猜測”某種文件類型,如果沒有安全問題,那么你是安全的,因為我認為沒有用戶會鏈接到這個文件。但是,如果您想確定通過index.php通過.htaccess中的一行重新路由所有功能,該行應放在www-root目錄中:

RewriteEngine on
RewriteRule ^(.*?)$ index.php?file=$1

In your index.php you can then simply choose which function/file to invoke by breaking down and checking the $_GET["file"] parameter. To make 100% certain no one can access your register.php file directly just move it (and all your others) to a separate directory and include a .htaccess file with the following line:

在index.php中,您可以通過分解並檢查$ _GET [“file”]參數來簡單地選擇要調用的函數/文件。要100%確定沒有人可以直接訪問您的register.php文件,只需將它(以及所有其他人)移動到一個單獨的目錄,並包含一個.htaccess文件,其中包含以下行:

DENY from all 

There are a couple of other options to prevent direct access. Just define() a variable somewhere in your index.php and at the top of your register.php just put

還有其他一些選項可以阻止直接訪問。只需在index.php中的某個地方定義()一個變量,然后在register.php的頂部放置

defined('access') or die('Intruder alert!');

at the top. Another way could be to be honest and simply tell search engines that your content has been moved and that they no longer should use the old link:

在頂部。另一種方法可能是誠實,只是告訴搜索引擎您的內容已被移動,他們不再使用舊鏈接:

header("Status: 301"); /* Content moved permanently */
header("Location: http://yourserver/Register/");
exit;

Update

Just one more thing that crossed my mind, you can also check $_SERVER["REQUEST_URI"], whether the user attached any ".php" and act accordingly by either denying access completely or just redirecting to the new location.

還有一件事在我腦海中浮現,您還可以檢查$ _SERVER [“REQUEST_URI”],無論用戶是否附加任何“.php”並通過完全拒絕訪問或僅重定向到新位置來采取相應行動。

#2


It is true that you cannot use location directive, but you can actually paste .htaccess file into any directory.

確實,您不能使用location指令,但您實際上可以將.htaccess文件粘貼到任何目錄中。

Just if you put this into it, say:

如果你把它放進去,說:

Options -Indexes
order   allow,deny
deny    from all

you can copy paste this file into any (root) directory you want to protect from external execution.

您可以將此文件復制粘貼到要防止外部執行的任何(根)目錄中。

#3


To check the initial requested URL path, you need to use the request line. So try this rule:

要檢查初始請求的URL路徑,您需要使用請求行。所以試試這個規則:

RewriteCond %{THE_REQUEST} ^GET\ /[^?\s]+\.php[/?\s]
RewriteRule (.+)\.php$ /$1 [L,R=301]

And then again your rule (in a slightly modified way):

然后再次你的規則(略微修改):

RewriteRule ^register/$ register.php

#4


Try this.

RewriteCond %{REQUEST_FILENAME} ^register\.php$ [NC]
RewriteRule ^/register register.php

Or this

Redirect register.php /register

#5


Ignoring the user-experience part, you can implement the new rel=canonical link to sort out the search engines.

忽略用戶體驗部分,您可以實現新的rel = canonical鏈接來整理搜索引擎。

Although, for this case you should probably just use a 301 redirect from /register.php to /register/

雖然,對於這種情況,您應該只使用/register.php中的301重定向到/ register /

In register.php

if ( stristr( $_SERVER['REQUEST_URI'], '.php' ) )
{
    header ('HTTP/1.1 301 Moved Permanently');
    header ('Location: /register');
}

#6


If you want to completely block /register.php by using mod_rewrite, use a variant of SleepyCod's answer:

如果你想通過使用mod_rewrite完全阻止/register.php,請使用SleepyCod的答案變體:

RewriteCond %{REQUEST_FILENAME} register\.php [NC]
RewriteCond %{IS_SUBREQ} false
RewriteRule .* - [F,L]

Explanation:

  • [NC]: Makes the condition case-insensitive, just in case you're on a windows box.
  • [NC]:使條件不區分大小寫,以防您在Windows框中。

  • Condition 1: The requested filename is 'register.php', and
  • 條件1:請求的文件名是'register.php',和

  • Condition 2: The request is no subrequest (this is important, since every new round through RewriteRules actually creates subrequests).
  • 條件2:請求不是子請求(這很重要,因為通過RewriteRules的每個新輪實際上都會創建子請求)。

  • Rule: essentially do nothing
  • 規則:基本上什么都不做

  • Flags: [F]: Send an 403 Forbidden header, [L]: This is the last rule to apply, skip all following rewrite rules
  • 標志:[F]:發送403 Forbidden標頭,[L]:這是要應用的最后一條規則,跳過所有后續重寫規則

Rewriting correctly is an art by itself. I suggest you carefully read http://httpd.apache.org/docs/2.2/rewrite/.

正確地重寫本身就是一門藝術。我建議你仔細閱讀http://httpd.apache.org/docs/2.2/rewrite/。

Cheers,


注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2009/07/09/72fe31f26bca39581ea1eba08491e395.html



 
粤ICP备14056181号  © 2014-2021 ITdaan.com