Hide *.inc.php from website visitors

I have a script myscript.inc.php which handles all urls that look like /script-blah I accomplish this by using following .htaccess

RewriteEngine On 
RewriteRule ^script-(.*)$ myscript.inc.php?s=$1 [QSA,L]

However users could also access it this way by typing /myscript.inc.php?s=blah I would like to prevent that. I tri开发者_如何转开发ed

<Files ~ "\.inc\.php$">
 Order deny,allow
 Deny from all
</Files>

and

RewriteCond %{REQUEST_URI} \.inc\.php
RewriteRule .* - [F,L,NS]

They both prevent users from viewing /myscript.inc.php?s=blah but they also cause /script-blah to return 403...

Is there a way to do this correctly?

I use the following method to protect my .inc.php files. Add the following to your .htaccess:

#Prevent Users From Accessing .inc.php files in .htaccess
<Files ~ ".inc.php$">
Order allow,deny
Deny from all
</Files>

You could also try the following (a number of open source packages do this)

• place a blank index.html in every folder
• use this rule in .htaccess to block folder reading Options -Indexes
• place a line that dies scripts where a global constant isn't found

For example, here is Kohana's "toss out invalid accesses". It is the first line in all PHP files.

<?php defined('SYSPATH') or die('No direct script access.'); ?>

This line basically says "if not included via index.php where SYSPATH is defined, we will abort script and show a friendly message"

You could redirect if it is a filename

RewriteCond %{REQUEST_FILENAME} =-f