PHP：允许为用户上传.php文件，如何防止它们运行？

I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading too?

我允许人们上传他们的项目文件，我加强了我的安全性，但我只需要简单点。如何停止执行他们上传的子目录中的任何文件？

I'm thinking .htaccess but I'd need to generate one for each new subdirectory (I think), would I need to scrap my current code and use a .php file to send headers to force DL on the file instead of running?

我在想.htaccess但是我需要为每个新的子目录生成一个（我想），我是否需要废弃当前的代码并使用.php文件发送标头强制文件上的DL而不是运行？

What do you think is an easy and safe solution for this? It just uploads to a subdirectory like uploads/~foo/bar.html or something, it looks nice that way so it'd be nice if it can stay like that format.

您认为这是一个简单而安全的解决方案吗？它只是上传到像uploads / ~foo / bar.html之类的子目录，它看起来很漂亮，所以如果它能保持这样的格式会很好。

2 个解决方案

#1

Put this in uploads/.htaccess:

把它放在uploads / .htaccess中：

RemoveType application/x-httpd-php .php

RemoveType application / x-httpd-php .php

This will work for all subfolders. Also make sure you don't parse .htaccess in the users folders. This can be done by AllowOverride None in the main server config, or it can be done by not allowing uploads of .htaccess files in the first place.

这适用于所有子文件夹。还要确保您不解析用户文件夹中的.htaccess。这可以通过主服务器配置中的AllowOverride None来完成，也可以通过不允许首先上传.htaccess文件来完成。

#2

If for example these uploaded files are in the directory "uploads" and subdirectories of it:

例如，如果这些上传的文件位于目录“uploads”及其子目录中：

RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]

#1