2010-03-28 22:10:10 +00:00
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
2009-07-11 06:22:53 +00:00
|
|
|
<!-- $Revision$ -->
|
2004-01-26 13:22:25 +00:00
|
|
|
<!-- splitted from ./index.xml, last change in rev 1.66 -->
|
2007-06-20 22:25:43 +00:00
|
|
|
<chapter xml:id="security.hiding" xmlns="http://docbook.org/ns/docbook">
|
2004-01-26 13:22:25 +00:00
|
|
|
<title>Hiding PHP</title>
|
|
|
|
|
<para>
|
|
|
|
|
In general, security by obscurity is one of the weakest forms of security.
|
|
|
|
|
But in some cases, every little bit of extra security is desirable.
|
|
|
|
|
</para>
|
|
|
|
|
<para>
|
2010-04-07 21:20:37 +00:00
|
|
|
A few simple techniques can help to hide <acronym>PHP</acronym>, possibly slowing
|
2004-01-26 13:22:25 +00:00
|
|
|
down an attacker who is attempting to discover weaknesses in your
|
2009-01-05 09:59:29 +00:00
|
|
|
system. By setting expose_php to <literal>off</literal> in your
|
|
|
|
|
&php.ini; file, you reduce the amount of information available to them.
|
2004-01-26 13:22:25 +00:00
|
|
|
</para>
|
|
|
|
|
<para>
|
|
|
|
|
Another tactic is to configure web servers such as apache to
|
2010-04-07 21:20:37 +00:00
|
|
|
parse different filetypes through <acronym>PHP</acronym>, either with an &htaccess;
|
2004-01-26 13:22:25 +00:00
|
|
|
directive, or in the apache configuration file itself. You can
|
|
|
|
|
then use misleading file extensions:
|
|
|
|
|
<example>
|
|
|
|
|
<title>Hiding PHP as another language</title>
|
|
|
|
|
<programlisting role="apache-conf">
|
|
|
|
|
<![CDATA[
|
|
|
|
|
# Make PHP code look like other code types
|
|
|
|
|
AddType application/x-httpd-php .asp .py .pl
|
|
|
|
|
]]>
|
|
|
|
|
</programlisting>
|
|
|
|
|
</example>
|
|
|
|
|
Or obscure it completely:
|
|
|
|
|
<example>
|
|
|
|
|
<title>Using unknown types for PHP extensions</title>
|
|
|
|
|
<programlisting role="apache-conf">
|
|
|
|
|
<![CDATA[
|
|
|
|
|
# Make PHP code look like unknown types
|
|
|
|
|
AddType application/x-httpd-php .bop .foo .133t
|
|
|
|
|
]]>
|
|
|
|
|
</programlisting>
|
|
|
|
|
</example>
|
2010-04-07 21:20:37 +00:00
|
|
|
Or hide it as <acronym>HTML</acronym> code, which has a slight performance hit because
|
|
|
|
|
all <acronym>HTML</acronym> will be parsed through the <acronym>PHP</acronym> engine:
|
2004-01-26 13:22:25 +00:00
|
|
|
<example>
|
2010-04-07 21:20:37 +00:00
|
|
|
<title>Using <acronym>HTML</acronym> types for PHP extensions</title>
|
2004-01-26 13:22:25 +00:00
|
|
|
<programlisting role="apache-conf">
|
|
|
|
|
<![CDATA[
|
|
|
|
|
# Make all PHP code look like HTML
|
|
|
|
|
AddType application/x-httpd-php .htm .html
|
|
|
|
|
]]>
|
|
|
|
|
</programlisting>
|
|
|
|
|
</example>
|
2010-04-07 21:20:37 +00:00
|
|
|
For this to work effectively, you must rename your <acronym>PHP</acronym> files with
|
2004-01-26 13:22:25 +00:00
|
|
|
the above extensions. While it is a form of security through
|
|
|
|
|
obscurity, it's a minor preventative measure with few drawbacks.
|
|
|
|
|
</para>
|
2004-08-08 16:11:36 +00:00
|
|
|
</chapter>
|
2004-01-26 13:22:25 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
|
|
|
Local variables:
|
|
|
|
|
mode: sgml
|
|
|
|
|
sgml-omittag:t
|
|
|
|
|
sgml-shorttag:t
|
|
|
|
|
sgml-minimize-attributes:nil
|
|
|
|
|
sgml-always-quote-attributes:t
|
|
|
|
|
sgml-indent-step:1
|
|
|
|
|
sgml-indent-data:t
|
|
|
|
|
indent-tabs-mode:nil
|
|
|
|
|
sgml-parent-document:nil
|
2009-09-25 07:04:39 +00:00
|
|
|
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
|
2004-01-26 13:22:25 +00:00
|
|
|
sgml-exposed-tags:nil
|
|
|
|
|
sgml-local-catalogs:nil
|
|
|
|
|
sgml-local-ecat-files:nil
|
|
|
|
|
End:
|
|
|
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
|
|
|
vim: et tw=78 syn=sgml
|
|
|
|
|
vi: ts=1 sw=1
|
|
|
|
|
-->
|
