Hudzilla.org - the homepage of Paul Hudson
Contents > Security concerns > Programming secure PHP Wish List | Report Bug | About Me ]

17.1.2     Choose your file extension carefully

This is NOT the latest copy of this book; click here for the latest version.

PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even wom.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files.

If you are running Apache, you can change your file extension by changing this line:

AddType application/x-httpd-php .php

The .php part can be changed to .html, .foo, or whatever else you want - be creative!

Author's Note: Using something other than .php as your file extension is nothing more than security through obscurity, a technique most people would argue against. However, as long as changing the file extension is not your only form of defence, there's no reason not to use it - every little helps, and if it deters just 1% of hackers from trying to break into your site then you should be pleased.





<< 17.1.1 register_globals   17.1.3 Put key files outside your document root >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
A PHP User - 29 Aug 2008
FYI,
this exact topic is covered just ahead of this point in
17.1.5 Hide your identity

A PHP User - 29 Aug 2008
I disagree with the last comment. Of course you can/should take additional steps to secure your system. For example, you can deal with the "HTTP headers" issue in two ways. One, change "expose_php = On" to "expose_php = Off" in your php.ini file. Two, change the ServerSignature and ServerTokens settings in Apache to also not display server information in the headers.

A.N. Other - 29 Aug 2008
I doubt this is much use. The HTTP headers say more about how a page was made than you might think. For example, the headers for this page are:

HTTP/1.1 200 OK
Date: ddd, dd mmm yyyy hh:mm:ss GMT
Server: Apache/1.3.33 (Unix)
X-Powered-By: PHP/4.3.10
Transfer-Encoding: chunked
Content-Type: text/html

"X-Powered-By: PHP/4.3.10" is a bit of a give-away, don't you think? The lack of "Last-Modified" and "ETag" headers also tells me this is probably not a static HTML file.



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is one plus eight?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.