While working with a FLEX-PHP project, I went through an experience which I would like to share. In the project the front end is in FLEX, and the backend part is handled by PHP. This works fine in the local system, but when it is moved to the live server, the file upload functionality doesn’t work!

When I searched on the net, I found the following two options :

–    Disable the mod_security firewall module in Apache and use a dedicated firewall on your server.
–    In the site root add a .htaccess file containing the following lines:
SecFilterEngine Off
SecFilterScanPOST Off

We don’t have admin access to the apache server. So we can’t disable the mod_security module. Also it is not advisable, because if we do like this we are allowing others to hack our server easily.

Mod_security is an Apache module provides intrusion detection and prevention for web applications. It saves web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.
So I was left with the 2nd option, but it is also not the best way to put the lines in the root .htaccess file, because it will affect the whole website.

The solution to this is, put a “.htaccess” file in the folder, where upload PHP code resides. In that file add the following lines:

<IfModule mod_security.c>
<Files UploadFile.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>

“<Files UploadFile.php>” means the rule is applied only to “UploadFile.php” file, and will not affect any other code of the website. You can write your own file name instead of  “UploadFile.php”, which is used for file upload.

Note: The “.htaccess” file can overwrite the apache config settings only if, “AllowOverride” option is allowed to “All” for that directory. It shouldn’t be “None”..