Prevent execution of uploaded php files?

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploa开发者_开发技巧ded files that can parsed by php (*.php, *.html, etc.)

Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?

Keep them all under the same folder and set this line in the directory's .htaccess file:

php_flag engine off

That will also take care of other exploits such as embedding PHP code in .gif files.

You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler

This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:

<Location /web/uploads>
SetHandler None
</Location> 

should do what you want.

why not just rename the file extensions upon upload to .phps?

To clarify PHPS is the source code view of a PHP file:

To clarify:

file.php => file.phps

quick google example:

• http://filext.com/file-extension/PHPS