<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Hiding PHP</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div>
<div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div>
<div class="up"><a href="security.html">Security</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="security.hiding" class="chapter">
<h1>Hiding PHP</h1>
<p class="para">
In general, security by obscurity is one of the weakest forms of security.
But in some cases, every little bit of extra security is desirable.
</p>
<p class="para">
A few simple techniques can help to hide <acronym title="PHP: Hypertext Preprocessor">PHP</acronym>, possibly slowing
down an attacker who is attempting to discover weaknesses in your
system. By setting expose_php to <em>off</em> in your
<var class="filename">php.ini</var> file, you reduce the amount of information available to them.
</p>
<p class="para">
Another tactic is to configure web servers such as apache to
parse different filetypes through <acronym title="PHP: Hypertext Preprocessor">PHP</acronym>, either with an <var class="filename">.htaccess</var>
directive, or in the apache configuration file itself. You can
then use misleading file extensions:
<div class="example" id="example-348">
<p><strong>Example #1 Hiding PHP as another language</strong></p>
<div class="example-contents">
<div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl</pre>
</div>
</div>
</div>
Or obscure it completely:
<div class="example" id="example-349">
<p><strong>Example #2 Using unknown types for PHP extensions</strong></p>
<div class="example-contents">
<div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t</pre>
</div>
</div>
</div>
Or hide it as <acronym title="Hyper Text Markup Language">HTML</acronym> code, which has a slight performance hit because
all <acronym title="Hyper Text Markup Language">HTML</acronym> will be parsed through the <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> engine:
<div class="example" id="example-350">
<p><strong>Example #3 Using <acronym title="Hyper Text Markup Language">HTML</acronym> types for PHP extensions</strong></p>
<div class="example-contents">
<div class="apache-confcode"><pre class="apache-confcode"># Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html</pre>
</div>
</div>
</div>
For this to work effectively, you must rename your <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> files with
the above extensions. While it is a form of security through
obscurity, it's a minor preventative measure with few drawbacks.
</p>
</div>
<hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div>
<div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div>
<div class="up"><a href="security.html">Security</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
