Some Problem with htaccess

hello Everyone i want to add some privacy for myt Files like
nobody can access to my .php files i mean it wont work for views i mean people cannot view my private files also like all my .php files
THIS Is my .htaccess file At this time
php_value display_errors Off
php_value mbstring.http_input auto
php_value date.timezone America/New_York
Options +MultiViews
RewriteEngine on

For .php & .html URL’s:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^.]+)$ $1.php [NC,L]
RewriteRule ^([^.]+)$ $1.html [NC,L]

What are you exactly trying to achieve? If you want to make certain php files inaccessible then program them in a way that they return blank page when accessed directly via the browser. The htaccess rules for it is unnecessary.


Well i have did that before 2-3. YEARS but now o forget that How do i tuned from .htacces everything would be safe thats the reason i want to make it Private From htacces some stack mod also said me that i am trying if Random People Try to access my .php files From site they cant get access of that because some of My php files can Include PERSONAL info like name email so i dont want to get Visible for everyone @admin they can give better solution i know admin is legend for me always

Impressive how you did that years ago yet you have not learned that PHP will not expose variables to the visitor unless you explicitly make it to do.
And why even put some personal information in php files such as name if you want it to be inaccessible for privacy? Makes not sense.


I am using smtp server via Gmail So i have to use some info like dat And am not here to make any Senses. IF YOU DONT WANT TO HELP ANYONE HERE INSTEAD OF BEING HERE COOL ON HIMSELF AND LIKING YOUR OWN COMMENT GIVES YOU LEGENDARY FEELS THEN GO AHEAD but dont replies to my Post if you cant Help Anyones. I told you that before

First of all, I’m trying to help you so chill. :+1:

Then there is no need to worry about your information being viewable by browser users as long as you are storing them inside PHP variables and you are not explicitly making them visible to the visitors (e.g using echo or var_dump())

You should learn about PHP variables and how they really work, period.

If you do want content of certain folders to be inaccessible to the end users, then here you go:
php_value mbstring.http_input auto
php_value date.timezone America/New_York
Options +MultiViews
RewriteEngine on

# For .php & .html URL’s:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^.]+)$ $1.php [NC,L]
RewriteRule ^([^.]+)$ $1.html [NC,L]

# Prevent direct access to PHP files
<FilesMatch "\.php$">
# '' 
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.php\ HTTP/
RewriteRule .* - [F,L]

Rightnow I am Using These Rules But when i Tries To Access That file Without Removing Extention i can Access That so i dont wanna use that i want to Protect for Its Securities reasons

( if i visit it gives access So i want to Protect Both without Extension and With Extension also thats the Point.

I’m sorry, but I don’t understand how exactly you want your site to work.

Right now, you have three segments, all potentially acting on the same request:

  • A rewrite rule that adds a .php extension if the file does not exist.
  • A rewrite rule that adds a .html extension, but only if the file with that name (without extension) exists, because if it does, it’s rewritten to .php instead.
  • A FilesMatch directive that matches all .php files, which has another RewriteRule in it.

I have a hard time understanding what this actually does, because it boils down to how Apache chooses to understand these conflicting items.

So, to look at your example:

So how it is supposed to work? If you don’t want submit.php to be accessible, then why have rewrite rules that rewrite /submit to /submit.php?

Please describe how exactly your rules and your website should work. What you have right now has so many conflicting code that I honestly have no idea what the goal is.


actually rigtnow i have added those in my .htaccess to Files for not accessible for everyone because some of my php includes my private info like my smtp password thats why some gave me suggestion about that before 3-4 month that i should write rules to protect those php files from everyone -- some stack member said me to add those but my website gives error code now 404 and Access denied ITS un accessible the whole website after this --

# externally redirect requests with extension
RewriteRule ^(.+)\.(php|html)$ $1 [R=301,L]

# internally rewrite requests without extensions to ".php" & ".html" URLs:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^.]+)$ $1.php [L]
RewriteRule ^([^.]+)$ $1.html [L]```

Delete that file if you want it to be inaccessible by everyone.


Lol. Thats not solution i am doing Mistake On somewhere Else Thats why I Raise the request To solve… Request everyone to check nd get dat solve…pls

Ples tell me where ? I didnt find submit.php redirect to /submit i the Opposite what U saying

I want to Redirect it from submit.php to /submit if any random Person Try to Remove extension and they cant access also they should Recieve Not Acces Message As well. I think my question is putting u in trouble or you didnt understand properly dis is because am not properly Explaining thats why… sir
Or my question is maybe wrong we connot the protect that submit.php before it redirects.

So, if I understand it correctly:

  • If someone tries to access the URL /submit, the file submit.php should be loaded.
  • If someone tries to access the URL /submit.php, they should get a 403 Forbidden response.

Is this correct?

If so, you’ll need to make a number of changes:

For starters, remove all the FilesMatch stuff. You don’t want to block access .php files, you want to block access to .php URLs. FilesMatch works on files, not URLs, so you don’t want this.

This will redirect URLs with the extension to the URL without. If you wan to block the request instead, you can replace R=301 with F.

This doesn’t really make sense. You can’t take a URL and redirect it to both .php and .html. You’ll probably want to do one or the other, depending on which file is available.

So, off the cuff, the code could look something like this:

# Redirect URL to the .php extension if a .php file exists.
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^([^.]+)$ $1.php [L]

# Redirect URL to the .html extension if a .html file exists.
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^([^.]+)$ $1.html [L]

Yes, Correct. I am Trying to Add Protection on You can View Also
But with extension it works Perfectly as it should be. So that i said

Good! However…

I interpret this as the exact opposite of what I said. Assuming that “protected” means “not accessible” and “working perfectly” being “the page can be accessed and used”.

And if you want /submit to not do anything but /submit.php to trigger your script, then you can just delete all the .htaccess rules, because that’s how the servers work by default.


I believe that OP’s whole goal is to make the credentials of his SMTP API invisible to the users as said here:

Which is impossible to be viewed as long as such content are stored inside PHP variables and not explicitly outed to the visitors using functions such as echo.

Either OP is unable to make any sense or he is doing the whole thing wrong and trying to implement the Y solution for X problem instead of the X solution.



my Query was solved with Your solution but rightnow am only using rules the problem is solved but still there is only which a Random Person should not able to views main files like functions.php .submit.php even when after they remove extension still from direct access shouldnt work just that the problem which is not been solved.… u can check that i told u that but - is working -_-

Options +MultiViews
RewriteEngine On

# For .php & .html URL's:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
RewriteRule ^([^\.]+)$ $1.html [NC,L]```

I already gave you a potential solution yesterday. Please try it.

Right now, you deleted the rule I told you to keep, and didn’t add the rules I told you to add. I’m happy to help you, but I can’t do so if you don’t follow my instructions, especially when those instructions involve spoonfeeding you code to use.

Code which, as @Ziverre already said, is entirely unnecessary.


Alright i’ll do so again… i did that yesterday but i haven’t see changes :expressionless: sorry for not to understanding your words…

1 Like