<HTML ><HEAD ><TITLE >Hiding PHP</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="PHP Manual" HREF="index.html"><LINK REL="UP" TITLE="Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="User Submitted Data" HREF="security.variables.html"><LINK REL="NEXT" TITLE="Keeping Current" HREF="security.current.html"><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=ISO-8859-1"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >PHP Manual</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security.variables.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 5. Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security.current.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="security.hiding" ></A >Hiding PHP</H1 ><P > In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable. </P ><P > A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php = off in your <TT CLASS="filename" >php.ini</TT > file, you reduce the amount of information available to them. </P ><P > Another tactic is to configure web servers such as apache to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions: <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3099" ></A ><P ><B >Example 5-18. Hiding PHP as another language</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="apache-conf" ># Make PHP code look like other code types AddType application/x-httpd-php .asp .py .pl</PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > Or obscure it completely: <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3102" ></A ><P ><B >Example 5-19. Using unknown types for PHP extensions</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="apache-conf" ># Make PHP code look like unknown types AddType application/x-httpd-php .bop .foo .133t</PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > Or hide it as html code, which has a slight performance hit because all html will be parsed through the PHP engine: <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3105" ></A ><P ><B >Example 5-20. Using html types for PHP extensions</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="apache-conf" ># Make all PHP code look like html AddType application/x-httpd-php .htm .html</PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks. </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security.variables.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security.current.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >User Submitted Data</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Keeping Current</TD ></TR ></TABLE ></DIV ></BODY ></HTML >