Talk In Code

Sometimes it is necessary to turn off PHP parsing for a directory. You might want to give away some source code and therefore don’t want to parse that code when the user tries to download it.

To turn off PHP parsing in a directory just create a .htaccess file with the following content.

php_flag engine off

You can expand on this by adding the following:

AddType text/plain .php

This will force all files to be served as plain text files.

If you are going to use this then be sure that you do not put this in any directory that contains your applications. This will cause your files to be downloadable, including any files with usernames and passwords in.

PHP is a powerful tool, but if you create any piece of software there are one or two things that you should never rely on.

A good example is using PHP short tags. This is a short hand way of stating that this block are to be parsed as PHP. This is an example of a normal tag.

<?php echo 'Hello World'; >

Here is the same code using short tags.

<? echo 'Hello World'; >

Another alternative, if you just want to print the output of a variable, is to use the following.

<?='Hello World'; >

The short tags setting can be turned on or off in the php.ini file. If you create an application that relies on these short tags then you will find that on some systems the short tags setting is turned off, which means that your software will simply not work.

You can force PHP to set this setting to on by using the following rule in your .htaccess file on a Apache server.

php_flag short_open_tag on

Note that this probably works with other servers that use .htaccess but I haven’t been able to test it. Two other things that are useful to turn off are register globals and magic quotes.

php_flag magic_quotes_gpc off
php_flag register_globals off

The register_globals setting should be turned off on any server due to security reasons, but relying on magic quotes being turned on is equally as dangerous. As a rule you should always treat anything from the user as potentially dangerous, but turning this magic quotes off will allow you to be absolutely certain that your string is properly escaped. The problem comes when you escape a string and magic quotes is turned on. You tend to find your database input has multiple slashes.

PHP5 (when using certain functions) requires that you set your timezone, you can do this by using the following rule.

php_value date.timezone "UTC"

If you are testing your PHP code then you can use the following two rules to turn on error reporting and display errors.

php_value error_reporting "8191"
php_value display_errors "1"

To turn this off just change the display_errors setting to 0. You would want to do this on a production server!

Finally, one last little fix is to make sure that the server doesn’t allow users to simple surf the contents of your directories. The following .htaccess rule will prevent Apache from showing the contents of a directory.

# Security: Don't allow browsing of directories
Options -Indexes

To stop access to a directory (and anything in that directory) all you need is a simple RewriteRule.

RewriteEngine on
RewriteBase /
RewriteRule ^exampledirectory/(.*)$ / [R=301,L]

In this example, if this .htaccess file resides in the root directory of the site and you try to access anything within /exampledirectory you will be redirected back to the root folder. To redirect to another folder (like anotherdirectory) on your web server use the following rule.

RewriteEngine on
RewriteBase /
RewriteRule ^exampledirectory/(.*)$ /anotherdirectory [R=301,L]

Hypertext access, or .htaccess files, allow you to change the Apache configuration on a by directory basis. However, you should always use the main server configuration file to do configuration changes whenever possible. This is because when Apache is configured to process .htaccess files it looks at every directory underneath the current directory to see if there are any files present, resulting in a slightly longer page load time. Although this might not be noticeable with low traffic levels, at high traffic levels it can cause sites to slow down. You should therefore use .htaccess files only when the main server configuration file (http.conf) is inaccessible.

To increase performance you can use the AllowOverride directive in your top level directory, or any directory who’s subdirectories do not use .htaccess files. This will stop Apache from searching through all sub directories.

AllowOverride None

Having .htaccess files can also be a security problem. In order to stop anyone writing to your .htaccess files you must set the permissions at "644". This allows universal read access and user-only write access. You should also make sure that your Apache configuration contains the following lines that will stop external access to your .htaccess files.

<Files .htaccess>
 order allow,deny
 deny from all
</Files>

When people link to your images from their own site they are essentially using your bandwidth to show images on their site, this is also known as hotlinking.

The simplest way of preventing people from doing this is to add a .htaccess file to only allow locally linked images to be served. This checks the domain that is linking to your images by using the referrer and if the domain does not equal you own site then a different image is served, in this case blank.jpg.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?talkincode\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.co\.uk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/blank.jpg [L]

You can also prevent hotlinking from high traffic sites like myspace by using the following .htaccess file.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?livejournal\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/blank.jpg [L]

Instead of returning a blank image you could produce a 403 Forbidden error by using the F RewriteRule flag.

RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

Another way is to use the mod_setenvif module to figure out what the referrer name is. You will first need to go into your Apache httpd.conf file and make sure that the mod_setenvif module is enabled.
LoadModule setenvif_module modules/mod_setenvif.so
If it isn’t enabled then uncomment the line and restart Apache. This module is normally turned on by default so it should be enabled on most hosts.

Next, upload the following .htaccess file to your root directory, replacing the domain name with your own.

SetEnvIfNoCase Referer "^http://www.talkincode.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.talkincode.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://talkincode.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://talkincode.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(bmp|gif|png|jpe?g)$">
 Order Allow,Deny
 Allow from env=locally_linked
</FilesMatch>

This method simply stops the image being served, rather than presenting a different image.

However, there is nothing you can do to stop people downloading images from your site and using them on their own site. If your images are copyrighted in anyway then you will need to contact the site directly to get them to remove your images.