如何使用 htaccess 规则停止直接执行 php 页面?

2022-01-04 00:00:00 php .htaccess apache url-rewriting

在我的 .htaccess 文件中,我定义了以下规则以使我的注册页面 URL 为 http://example.com/register/

In my .htaccess file I have defined the following rule to make my register page URL as http://example.com/register/

RewriteRule register/ /register.php

上述规则非常好,但我可以从 http://example.com/register/ 以及从 http://example.com/register 访问我的注册页面.php.

The above rule is perfectly fine but I can access my register page from http://example.com/register/ as well as from http://example.com/register.php.

我不希望该用户能够从 http://example.com/register.php URL 访问 URL,是否有任何我可以在 .htaccess 中定义的规则停止执行 register.php URL 或简单地将任何直接 register.php 请求重定向到/register/

I don't want that user will be able to access the URL from http://example.com/register.php URL, is there any RULE which I can define in .htaccess to stop execution of register.php URL or simply redirect any direct register.php request to /register/

推荐答案

如果您这样做是为了避免获得指向同一内容的多个链接,您就不能在页面的任何位置使用register.php".我认为没有搜索引擎会猜测"某种文件类型,如果没有安全问题,你就安全了,因为在我看来,也没有用户会链接到这个文件.但是,如果您想确定只需通过 .htaccess 中的一行通过 index.php 重新路由所有功能,该行应放置在您的 www-root 目录中:

If you are doing this to avoid getting multiple links to the same content, you can simply don't use "register.php" anywhere on your page. I think no search engine will "guess" for a certain file type and if there are no security concerns you are on the safe side, because in my opinion no user will link to this file either. However if you want to be certain just reroute all your functionality through an index.php via one line in your .htaccess which should be placed inside your www-root directory:

RewriteEngine on
RewriteRule ^(.*?)$ index.php?file=$1

在您的 index.php 中,您可以通过分解和检查 $_GET["file"] 参数来简单地选择要调用的函数/文件.为了 100% 确定没有人可以直接访问您的 register.php 文件,只需将它(以及您的所有其他文件)移动到一个单独的目录中,并包含一个 .htaccess 文件和以下行:

In your index.php you can then simply choose which function/file to invoke by breaking down and checking the $_GET["file"] parameter. To make 100% certain no one can access your register.php file directly just move it (and all your others) to a separate directory and include a .htaccess file with the following line:

DENY from all 

还有其他几个选项可以防止直接访问.只需 define() 在你的 index.php 和 register.php 的顶部放置一个变量

There are a couple of other options to prevent direct access. Just define() a variable somewhere in your index.php and at the top of your register.php just put

defined('access') or die('Intruder alert!');

在顶部.另一种方法可能是诚实地告诉搜索引擎您的内容已被移动,他们不应再使用旧链接:

at the top. Another way could be to be honest and simply tell search engines that your content has been moved and that they no longer should use the old link:

header("Status: 301"); /* Content moved permanently */
header("Location: http://yourserver/Register/");
exit;

更新

还有一件让我想到的事情,您还可以检查 $_SERVER["REQUEST_URI"],用户是否附加了任何.php",并通过完全拒绝访问或仅拒绝访问来采取相应措施重定向到新位置.

Just one more thing that crossed my mind, you can also check $_SERVER["REQUEST_URI"], whether the user attached any ".php" and act accordingly by either denying access completely or just redirecting to the new location.

相关文章