Re: need to get .html files parsed by PHP. -- WAS: why does PHP parse "*.html" files in one subdir/ but not in another?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/7/19 Govinda <govinda.webdnatalk@xxxxxxxxx>:
>>> Generally, if a file has a .html extenstion, then it should really just
>>> contain html. .php extensions are meant for php code containing html.
>>>
>>
>> File extension has absolutely no bearing at all on the contents of the
>> file.  There's valid reasons to not expose what's what under the hood,
>> especially if there happen to be known exploits in the latest version
>> of PHP that week.  God forbid that that happens, but it does every so
>> often.  File mime-type being determined by an extension is entirely M$
>> Windows mentality and doesn't really extend to *nix environments,
>> where most of us are hosting our sites, anyway.  You could name your
>> scripts whatever you want, .awesome, .refridgerator, .silver, whatever
>> and it'd have no bearing on the files themselves.  It's certainly the
>> de-factor standard that .html files only contain flat markup, but
>> that's by no means a rule or anything, but it's common practice
>> (mostly because programmers are lazy).
>
> Yes, I wanted to hide the .php extension in case any wandering evil-doing
> should find a hole in my site..  until I get really good at preventing any
> possible holes.  I see facebook uses the .php extension so I assume there is
> ultimately nothing to fear, but I'm a php newb.
>
>>
>> Sorry if I sound rude, just quit smoking :)
>
> Hey, nice going!  Hang in there!   :-)

Most security issues have nothing to do with the programming language
and everything to do with the code. Just because "facebook uses the
.php extension" certainly does not mean their code has no security
holes and even if it's clean it certainly doesn't mean your code will
be secure.

If you really want to hide the fact that you're using PHP you need to
make sure that...

* You're not using the .php extension
* You turn expose_php off in your php.ini
* You turn display_errors off in your php.ini

However, I would recommend spending time checking and testing your
code to ensure it's secure since security through obfuscation does not
make your code secure.

-Stuart

-- 
http://stut.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux