问题
Ok, so I have set the .htaccess like so:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)$ index.php
so as you can see I'm parsing everything to index except files because I need to "include" the php files and also displaying of images.
If users will type for example www.site.com/login.php that will show the login php page.
How do I prevent access to the php pages but also allow to "include" them?
回答1:
Move them outside of your document root. They can be safely included from there but not accessed over the web.
回答2:
If I understand the question do you want to not allow the user to go to other files if not logged in ? If so you can use php sessions to set a variable that they are logged in otherwise redirect to index
(If I understand the question)
回答3:
If you wanna go that route (the outside webroot advise is the correct one!) then you could use a rule like that (see regex negative lookahead):
RewriteRule ^(?!index).+\.php$ - [F]
That's sloppy in that would allow index2.php or indexdir/xyz.php still; it just pevents anything that's not index*.php from being accessed. Make sure to also disallow .cgi or .phtml or .tpl if need be.
来源:https://stackoverflow.com/questions/14492734/prevent-access-to-php-pages