how to protect server directory using .htaccess

Question

I have designed a website, and within it I have a range of PHP scripts which interact with my system. For example, if a user uploads an image, this is processed by the script

Answer 1

You can't really prevent direct requests to the files, and still have them remain accessible to other requests. The best you can do is mask their location, and control how they are accessed.

One way you could go is to create a PHP "switch" script, which would include the scripts for you, rather than have Apache request them directly.

For example, if you had your scripts/image.php rule target switch.php?file=image.php instead, somewhat like:

RewriteRule ([^\.]+\.(jpe?g|png|gif)$ switch.php?file=image.php&rw=1&meta=$1 [L,QSA]

You could add deny from all to the scripts/.htaccess file and do this in your switch.php file.

The $_POST['rw'] there is a weak check, to see if the rule came from a RewriteRule, meant to prevent direct requests to the file. Pretty easy to bypass if you know it is there, but effective against random requests by bots and such.

This way, direct requests to either scripts/image.php and switch.php?file=image.php would fail, but requests to any image file would trigger the scripts/image.php script.