Tell Apache whether or not to run PHP on requests

综合编程 2018-02-05

I am using PHP with Apache and wonder if there is a way to indicate from the client side that the requested PHP file shouldn't be executed/parsed. By standard, I want all PHP files to be executed when requested, but I want a way to indicate from the client side that the file should not be executed.

A nice solution would be to supply an extra header in the request using JavaScript and then write some code in a .htaccess
file to check if the header is present, and if it is tell apache to not execute the file and just serve it as text.

Using GET parameters or something else would also be okay.

Is this possible? If so, how?

supply an extra header in the request [using JavaScript] and then write some code in a .htaccess file to check if the header is present

You could get Apache to check for this (secret) header and internally rewrite the request to a viewAsSource.php
-type file that then reads the REQUEST_URI
(or a passed query string parameter) and returns the file source instead. Similar to @LucasKrupinski suggestion, except you don't need to include anything in the PHP file itself.

For example, in your root .htaccess

RewriteEngine On

# Block direct access to any file in the /tools directory
RewriteRule ^tools/ - [F]

# Display PHP source...
RewriteCond %{HTTP:X-Action} ^display-source$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (.+.php)$ tools/display-source.php?url=$1 [L]

For all .php
requests this checks for the X-Action
HTTP request header having a value of "display-source" and that the requested file exists. If these conditions are met then the request is internally written to a /tools/display-source.php
script, passing the URL in the url
parameter. You could instead check the $_SERVER['REQUEST_URI']
superglobal, but note that this also includes any query string that is passed on the request.

Then, in display-source.php
, something like:

$url = isset($_GET['url']) ? $_GET['url'] : null;
if (isset($url)) {
    $file = $_SERVER['DOCUMENT_ROOT].'/'.$url;
    // Validate $file....
    // :


PHP 5.3 Closures and Reflection Note This post is outdated (2009). Specifically, the Callable typehint and Closure typehints should be preferred to is_callable && i...
由Typecho 深入理解PHP反序列化漏洞 零、前言 Typecho是一个轻量版的博客系统,前段时间爆出getshell漏洞,网上也已经有相关的漏洞分析发布。这个漏洞是由PHP反序列化漏洞造成的,所以这里我们分析一下这个漏洞,并借此漏洞深入理解PHP反序列化漏洞。 一、 PHP反序列化漏洞 1.1 漏洞简介 PHP反序列化漏洞...
多用户商城系统Php、Asp、.Net、Jsp哪个好?... 2017年阿里巴巴天猫双11再次创造了全球零售史上的新纪录,全天交易额达到1682亿元,京东双11期间战报最终销售额超过了1271亿,“互联网+”时代,新零售大势之下,阿里、京东、苏宁等巨头在快马加鞭进行电商商业布局,但是搭建同天猫、京东商城系统用PHP、.net、Asp、Jsp哪个好呢? ...
Reverse-proxying a SOAP API accessed via PHP’... I'm documenting this here, just because it's something I imagine I might have to do again someday... and when I do, I want to save myself hours of pai...
PHP ONE Script to handle ALL requests I just started with PHP development and I've been looking at my company's web server files. The previous programmers have put a single endpoint to han...