How to safely prevent uploaded file from being run via PHP on any server?

Question

I noticed that it\'s possible to run a file via PHP even if its extension wasn\'t .php, for example file test.xyz.php.whatever.zyx can be still run wit

Answer 1

Instead of php_flag engine off you could remove the handler for PHP files using an .htaccess file for a single directory.

In the directory you are disabling PHP in, your .htaccess should include:

RemoveHandler .php .phtml .php3 .php4 .php5
RemoveType .php .phtml .php3 .php4 .php5

You can likely get away with the below however, depending on which AddHandler types you have configured in your default Apache configuration, which, on windows, should be in C:\Program Files\Apache\conf\httpd.conf

RemoveHandler .php 
RemoveType .php 

You will also need to ensure that in your main apache configuration file, that the directory containing the .htaccess file is in, is covered by a Directory statement which has AllowOverride FileInfo set. You may wish to consider AllowOverride All if you will be using .htaccess files for other purposes - see the Apache documentation for AllowOverride for an explanation of the differences.