How to safely prevent uploaded file from being run via PHP on any server?

Question

I noticed that it\'s possible to run a file via PHP even if its extension wasn\'t .php, for example file test.xyz.php.whatever.zyx can be still run wit

Answer 1

First of all you need to understand what happens here:

test.xyz.php.whatever.zyx

Such a file on a webserver on it's own would do nothing. Only added configuration does tell Apache to execute PHP on that file.

So if you remove that added configuration, Apache won't care to find .php in there - be it at the very end or part of a stacked file-extension.

Check which handler you have set for php in your server configuration. Remove it for the upload directory. This then won't resolve any other configuration issues you might have with uploaded files, however PHP files aren't executed by PHP any longer then - which is what you want if I understood you right.

If you've got a problem to find out what this is about, you need to post your PHP configuration in your httpd.conf file and associated Apache HTTPD configuration files for your system.

The directive somebody told you for .htaccess:

php_flag engine off

does only work if you're running PHP as an apache SAPI module.