I still want people to have access to ALL the files, just not let any of the files run as scripts. Maybe have php files behave as plain text or html files.

I am trying to create a place my users can upload/download files, but I want to make sure they can't run a phpshell or other bad scripts.

php_admin_flag engine off

This creates a 500 error for all files, including html files

<Limit GET POST>
Order Allow,Deny
deny from all
</Limit>

This creates a 403 error for all files, including html files

not sure offhand, but take a look at apaches addhandler directive

its either that or one of the directives related to it

you would prob want to set everything to be sent as plain text, or html

thanks for pointing me in the right direction

AddHandler default-handler php

AddType text/html php

Both, AddHandler and AddType seem to be able to keep php from being executed.

Would one be better to use than the other?

I notice if you rename a .php file .phps, they display nicely. Is there a way to just map all php files to phps files (disableing php and having them displayed nice)?

Options -ExecCGI

I figure I should force cgi to be disabled, just to be safe. Is this the right way to do it?

If someone was to upload a .htaccess file, could they override my settings, if so, how could I prevent this?

By the way, this forum is great, I have learned a lot here. Thanks

RemoveType application/x-httpd-php .php

This also seems to disable php scripts.

Would one be better to use than the other?

I'm not sure that's the best way to do it. Maybe someone else can comment.

I notice if you rename a .php file .phps, they display nicely. Is there a way to just map all php files to phps files (disableing php and having them displayed nice)?

Yes, add this to your httpd.conf
RemoveType application/x-httpd-php .php
AddType application/x-httpd-php-source .php

I figure I should force cgi to be disabled, just to be safe. Is this the right way to do it?

If you don't use CGI, don't even load it. In httpd.conf comment out the CGI module and handler like:
#LoadModule cgi_module "..."
#AddHandler cgi-script .cgi

If someone was to upload a .htaccess file, could they override my settings, if so, how could I prevent this?

Yes, you would have to either prevent them from uploading .htaccess files or disable them in httpd.conf. Ex:
<Directory "/public_html/user_uploads/username/">
AllowOverride None
</Directory>

By the way, this forum is great, I have learned a lot here. Thanks

Yeah, this realy is a great site. You get questions answered quickly.

I am on a shared host so I don't have access to httpd.conf.

I added killing off cgi just to be safe, incase I/someone enables it in a parent folder in the future.

Yes, you would have to either prevent them from uploading .htaccess files or disable them in httpd.conf. Ex:
<Directory "/public_html/user_uploads/username/">
AllowOverride None
</Directory>

Is there a way to disable/ignore htaccess files in subfolders from a parent htaccess file? I don't have access to httpd.conf. If not, I guess I will have to add code to my scripts, not allowing uploading or renaming to ".htaccess". I was just trying to keep the php as simple as possible, plus i'm lazy.

Are there any other security loopholes I may be overlooking? Are there any issues with server side includes?

Humm...I'm not advanced enough in the Apache config to know how to do that, but I'm sure it's possible. Maybe someone else can comment or look at the Apache documentation.

There are always other security options to worry about. It depends on how secure your PHP is. There are several articles/documentation on security, just Google for php security.

rpanning, thanks for the help, your replies have been soo fast!

I know there are security risks I will have to watch out for in my php code, and that no code is perfect. Assuming my code is secure (I can dream, can't I), I wan't my users to be able to upload files without compromising the rest of my site.

Since I don't use ssi I am going to just add:

Options -Includes

and not worry about for now.

Quick summary of .htaccess settings so far.

To disable php, cgi, SSI:

# to disable php
AddHandler default-handler php

# OR
RemoveType application/x-httpd-php php
AddType text/html php

# OR: To display php files with color hilighted code
RemoveType application/x-httpd-php .php
AddType application/x-httpd-php-source .php

# To disable cgi and server side includes
Options -ExecCGI -Includes

If someone else knows how to disable/ignore .htaccess files on a shared server, I think I will be all set.

If it is a commercial shared server then they will probably be using .htaccess to control site separtion and access, so I doubt you can edit or override the one in your doc root. Subdirectories are another matter, and you can use your own .htaccess there to modify settings inherited from higher level directories.
guide to .htaccess

It is a commercial shared server, but I am not having a problem getting the settings I want.

What I would like to do is have apache ignore all .htaccess files under one of my subdirectories.

-This is the file I want to put my settings in.
public_html/user_uploads/.htaccess

-I do NOT want any .htaccess files in these folders to be able to override my settings in the above .htaccess file. Actually, what I really want is for apache to totally ignore these .htaccess files.
public_html/user_uploads/username1/.htaccess
public_html/user_uploads/username2/dir/.htaccess
public_html/user_uploads/username3/dir/dir/.htaccess
...

Is this possible?

I looked into "allowoverride None" before. From reading the documentation it looks like it should work, but when I tried it, it doesn't. When I put a .htaccess file into a subfolder, I can still change the settings.

it looks like I will have to do it the hard way, and prevent .htaccess files in my php code.