zlacker

Modern PHP frameworks solve this problem just like the other languages solved this problem from the beginning - any inbound HTTP request goes into an entry point (the HTTP router library) which then loads the different classes and dispatches the request accordingly. The web server never executes anything but the entry point PHP file, regardless of what path the request is actually for.

The problem is all the legacy applications which are a mess of random PHP files and rely on the web server itself to dispatch requests based on the path of the file - in this case any PHP file can get executed if it happens to be in a location served by the web server. Rather than disallowing PHP execution in select folders, how about allowing PHP execution only for specific paths - those that you expect incoming requests to hit? That way no malicious code can run unless it manages to overwrite an existing file.