Apache / Nginx / Lighttpd: PHP Disable File Upload

I am in the process of setting Apache and PHP for my small business server. I’m not utilizing file upload functionality in any of my PHP scripts. How do I disallow uploading files under CentOS or Ubuntu Linux based LAMP server?

Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements LAMP+CentOS/UbuntuLinux/Unix like os
Est. reading time N/A
PHP is a widely used and often misconfigured server-side scripting language. If you or one of your web-app written in PHP are not using file uploads then you can turn it off by editing the php.ini file. Crackers (or attackers) will try to upload malicious script into your web apps for spam, fraud and other malicious activities.

Step #1: Find php.ini

To find the php.ini path, enter:

php -i | grep --color 'php.ini'

Sample outputs:

Fig.01: Finding php.ini path under Unix like operating systems

On my CentOS based system php.ini is located in /etc/ directory.

Step #2: Edit /etc/php.ini

Edit the file /etc/php.ini, type:
# vi /etc/php.ini
Make the following changes to /etc/php.ini:

# Disallow uploading altogether this makes moving or injecting bad scripts/code onto your web server more difficult
file_uploads = Off
# Disallow treatment of file requests as fopen calls 
allow_url_fopen = Off
allow_url_include = Off

Save and close the file. Restart or reload the Apache web-server
# service httpd restart
# service httpd reload
If you are using Nginx, restart the nginx web-server, type:
# nginx -s reload
If you are using Lighttpd, restart the lighttpd web-server, type:
# /etc/init.d/lighttpd restart

See also

See hardening and securing PHP article – twenty-five php security best practices for sysadmins for configuring PHP securely.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Pedro Saraiva Apr 15, 2013 @ 12:19

    for distribution debian
    # service apache2 restart

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum