downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

Our source is open

The syntax highlighted source is automatically generated by PHP from the plaintext script. If you're interested in what's behind the several functions we used, you can always take a look at the source of the following files:

Of course, if you want to see the source of this page, we have it available. You can also browse the SVN repository for this website on svn.php.net.

Source of: /manual/en/security.hiding.php

<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/shared-manual.inc';
$TOC = array();
$PARENTS = array();
include_once dirname(__FILE__) ."/toc/security.inc";
$setup = array (
  'home' =>
  array (
    0 => 'index.php',
    1 => 'PHP Manual',
  ),
  'head' =>
  array (
    0 => 'UTF-8',
    1 => 'en',
  ),
  'this' =>
  array (
    0 => 'security.hiding.php',
    1 => 'Hiding PHP',
  ),
  'up' =>
  array (
    0 => 'security.php',
    1 => 'Security',
  ),
  'prev' =>
  array (
    0 => 'security.magicquotes.disabling.php',
    1 => 'Disabling Magic Quotes',
  ),
  'next' =>
  array (
    0 => 'security.current.php',
    1 => 'Keeping Current',
  ),
);
$setup["toc"] = $TOC;
$setup["parents"] = $PARENTS;
manual_setup($setup);

manual_header();
?>
<div>
   <h1>Hiding PHP</h1>

   <p class="para">
    In general, security by obscurity is one of the weakest forms of security.
    But in some cases, every little bit of extra security is desirable.
   </p>
   <p class="para">
    A few simple techniques can help to hide PHP, possibly slowing
    down an attacker who is attempting to discover weaknesses in your
    system. By setting expose_php to <i>off</i> in your
    <var class="filename">php.ini</var> file, you reduce the amount of information available to them.
   </p>
   <p class="para">
    Another tactic is to configure web servers such as apache to
    parse different filetypes through PHP, either with an <var class="filename">.htaccess</var>
    directive, or in the apache configuration file itself. You can
    then use misleading file extensions:
    </p><div class="example">
     <p><b>Example #1 Hiding PHP as another language</b></p>
     <div class="example-contents programlisting">
<div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl</pre>
</div>
     </div>

    </div><p>
    Or obscure it completely:
    </p><div class="example">
     <p><b>Example #2 Using unknown types for PHP extensions</b></p>
     <div class="example-contents programlisting">
<div class="apache-confcode"><pre class="apache-confcode"># Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t</pre>
</div>
     </div>

    </div><p>
    Or hide it as HTML code, which has a slight performance hit because
    all HTML will be parsed through the PHP engine:
    </p><div class="example">
     <p><b>Example #3 Using HTML types for PHP extensions</b></p>
     <div class="example-contents programlisting">
<div class="apache-confcode"><pre class="apache-confcode"># Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html</pre>
</div>
     </div>

    </div><p>
    For this to work effectively, you must rename your PHP files with
    the above extensions. While it is a form of security through
    obscurity, it&#039;s a minor preventative measure with few drawbacks.
   </p>
  </div>
<?php manual_footer(); ?>
 
show source | credits | sitemap | contact | advertising | mirror sites