Use .htaccess file to stop "execution" of PHP files in dir

[Wuhtzu]

Hey

 

I have the following directory structure on my webserver:

 

\wuhtzu\ ("site specific folder")

\wuhtzu\webroot\ (apache virtual host webroot of wuhtzu.dk)

\wuhtzu\webroot\download\ (dir in question)

 

Can I from the dir "\wuhtzu\webroot\" make an .htaccess file which will prevent any PHP file from being viewed / run / executed / loaded from the dir "\wuhtzu\webroot\download\"?

 

What I want to prevent is this from happening: www.wuhtzu.dk/download/i_fuck_your_server_up.php. The reason why I have this concern is because I give some people ftp access to this dir (I could place it outside the webroot, but I need "webserver access" too) and they could do stupid stuff. I need the .htaccess file to be one level up from the \download\ dir so people with the ftp account can't delete it

 

Any advice would be much appreciated.

 

Wuhtzu

 

[rhodesa]

The easy thing to block all access to that dir from the web is to put an .htaccess file in the download dir with this line it is:

deny from all

 

I bet you could limit it to just PHP files though if you use FilesMatch:

http://httpd.apache.org/docs/1.3/mod/core.html#filesmatch

[Wuhtzu]

The problem is I want to allow people to access stuff like .zip and .rar from the web and ftp. But yes filematch sounds interresting, I'll look into it. Thank you!

 

Other suggestions?