<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Hiding PHP</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div> <div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div> <div class="up"><a href="security.html">Security</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="security.hiding" class="chapter"> <h1>Hiding PHP</h1> <p class="para"> In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable. </p> <p class="para"> A few simple techniques can help to hide <acronym title="PHP: Hypertext Preprocessor">PHP</acronym>, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to <em>off</em> in your <var class="filename">php.ini</var> file, you reduce the amount of information available to them. </p> <p class="para"> Another tactic is to configure web servers such as apache to parse different filetypes through <acronym title="PHP: Hypertext Preprocessor">PHP</acronym>, either with an <var class="filename">.htaccess</var> directive, or in the apache configuration file itself. You can then use misleading file extensions: <div class="example" id="example-348"> <p><strong>Example #1 Hiding PHP as another language</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like other code types AddType application/x-httpd-php .asp .py .pl</pre> </div> </div> </div> Or obscure it completely: <div class="example" id="example-349"> <p><strong>Example #2 Using unknown types for PHP extensions</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like unknown types AddType application/x-httpd-php .bop .foo .133t</pre> </div> </div> </div> Or hide it as <acronym title="Hyper Text Markup Language">HTML</acronym> code, which has a slight performance hit because all <acronym title="Hyper Text Markup Language">HTML</acronym> will be parsed through the <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> engine: <div class="example" id="example-350"> <p><strong>Example #3 Using <acronym title="Hyper Text Markup Language">HTML</acronym> types for PHP extensions</strong></p> <div class="example-contents"> <div class="apache-confcode"><pre class="apache-confcode"># Make all PHP code look like HTML AddType application/x-httpd-php .htm .html</pre> </div> </div> </div> For this to work effectively, you must rename your <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks. </p> </div> <hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div> <div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div> <div class="up"><a href="security.html">Security</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>