File: hiding.xml

package info (click to toggle)
php-doc 20241205~git.dfcbb86%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 70,956 kB
  • sloc: xml: 968,269; php: 23,883; javascript: 671; sh: 177; makefile: 37
file content (77 lines) | stat: -rw-r--r-- 2,660 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- splitted from ./index.xml, last change in rev 1.66 -->
  <chapter xml:id="security.hiding" xmlns="http://docbook.org/ns/docbook">
   <title>Hiding PHP</title>
   <para>
    In general, security by obscurity is one of the weakest forms of security.
    But in some cases, every little bit of extra security is desirable.
   </para>
   <para>
    A few simple techniques can help to hide <acronym>PHP</acronym>, possibly slowing
    down an attacker who is attempting to discover weaknesses in your
    system. By setting expose_php to <literal>off</literal> in your 
    &php.ini; file, you reduce the amount of information available to them.
   </para>
   <para>
    Another tactic is to configure web servers such as apache to
    parse different filetypes through <acronym>PHP</acronym>, either with an &htaccess;
    directive, or in the apache configuration file itself. You can
    then use misleading file extensions:
    <example>
     <title>Hiding PHP as another language</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl
]]>
     </programlisting>
    </example>
    Or obscure it completely:
    <example>
     <title>Using unknown types for PHP extensions</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t
]]>
     </programlisting>
    </example>
    Or hide it as <acronym>HTML</acronym> code, which has a slight performance hit because
    all <acronym>HTML</acronym> will be parsed through the <acronym>PHP</acronym> engine:
    <example>
     <title>Using <acronym>HTML</acronym> types for PHP extensions</title>
     <programlisting role="apache-conf">
<![CDATA[
# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html
]]>
     </programlisting>
    </example>
    For this to work effectively, you must rename your <acronym>PHP</acronym> files with
    the above extensions. While it is a form of security through
    obscurity, it's a minor preventative measure with few drawbacks.
   </para>
  </chapter>


<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->