熊猫购彩

<meter id="pgsoe"></meter>

<code id="pgsoe"><u id="pgsoe"></u></code>

<acronym id="pgsoe"><video id="pgsoe"></video></acronym>
    1. <label id="pgsoe"></label>
  • <acronym id="pgsoe"><legend id="pgsoe"><blockquote id="pgsoe"></blockquote></legend></acronym>
      <label id="pgsoe"></label>
    <acronym id="pgsoe"></acronym>
  • <meter id="pgsoe"><u id="pgsoe"><option id="pgsoe"></option></u></meter>
    <output id="pgsoe"></output>
  • <var id="pgsoe"><ol id="pgsoe"></ol></var>

    Hiding PHP

    In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable.

    A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to off in your php.ini file, you reduce the amount of information available to them.

    Another tactic is to configure web servers such as apache to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions:

    Example #1 Hiding PHP as another language

    # Make PHP code look like other code types
    AddType application/x-httpd-php .asp .py .pl
    Or obscure it completely:

    Example #2 Using unknown types for PHP extensions

    # Make PHP code look like unknown types
    AddType application/x-httpd-php .bop .foo .133t
    Or hide it as HTML code, which has a slight performance hit because all HTML will be parsed through the PHP engine:

    Example #3 Using HTML types for PHP extensions

    # Make all PHP code look like HTML
    AddType application/x-httpd-php .htm .html
    For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks.

    add a note add a note

    User Contributed Notes 25 notes

    up
    25
    rustamabd at google mail
    13 years ago
    So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase.

    .htaccess:

    RewriteEngine on

    # Rewrite /foo/bar to /foo/bar.php
    RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]

    # Return 404 if original request is /foo/bar.php
    RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
    RewriteRule .* - [L,R=404]

    # NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
    # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]
    up
    14
    anon at example dot com
    6 years ago
    The session name defaults to PHPSESSID.  This is used as the name of the session cookie that is sent to the user's web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77).

    To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start().  Example:

    session_name("id");
    session_start();

    Cheers.
    up
    8
    ldemailly at qualysNOSPAM dot com
    16 years ago
    adding MultiViews to your apache Options config
    lets you hide/omit .php in the url without any rewriting, etc...
    up
    9
    mmj
    16 years ago
    You can see if somebody's using PHP just by adding the following to the end of the URL:
    ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
    If the page is using PHP, this will show the PHP credits.

    Setting expose_php to Off in php.ini prevents this.
    up
    6
    yasuo_ohgaki at yahoo dot com
    18 years ago
    To hide PHP, you need following php.ini settings

    expose_php=Off
    display_errors=Off

    and in httpd.conf

    ServerSignature Off
    (min works, but I prefer off)
    up
    7
    CD001
    9 years ago
    It's a good idea to "hide" PHP anyway so you can write a RESTful web application.

    Using Apache Mod Rewrite:

    RewriteEngine On
    RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2

    You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.

    <?php
    function myGET() {
     
    $aGet = array();

      if(isset(
    $_GET['query'])) {
       
    $aGet = explode('/', $_GET['query']);
      }

      return
    $aGet;
    }
    ?>

    This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.
    up
    4
    Pyornide
    11 years ago
    The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.
    up
    6
    marpetr at NOSPAM dot gmail dot com
    14 years ago
    I think the best way to hide PHP on Apache and Apache itself is this:

    httpd.conf
    -------------
    # ...
    # Minimize 'Server' header information
    ServerTokens Prod
    # Disable server signature on server generated pages
    ServerSignature Off
    # ...
    # Set default file type to PHP
    DefaultType application/x-httpd-php
    # ...

    php.ini
    ------------
    ; ...
    expose_php = Off
    ; ...

    Now the URLs will look like this:
    http://my.server.com/forums/post?forumid=15

    Now hacker knows only that you are using Apache.
    up
    3
    info at frinteractives dot com
    4 years ago
    try this
    RewriteEngine On

    # Unless directory, remove trailing slash
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^([^/]+)/$ http://example.com/folder/$1 [R=301,L]

    # Redirect external .php requests to extensionless url
    RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
    RewriteRule ^(.+)\.php$ http://example.com/folder/$1 [R=301,L]

    # Resolve .php file for extensionless php urls
    RewriteRule ^([^/.]+)$ $1.php [L]
    up
    3
    sandaimespaceman at gmail dot com
    11 years ago
    Set INI directive "expose_php" to "off" will also help.
    You can spoof your PHP to ASP.NET by using:
    <?php
    error_reporting
    (0);
    header("X-Powered-By: ASP.NET");
    ?>
    up
    3
    Anonymous
    16 years ago
    Keep in mind, if your really freaked out over hiding PHP, GD will expose you.

    Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.
    up
    3
    Anonymous
    17 years ago
    PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you.  The problem is that safe-mode forces Apache to honor trailing characters in a requested URL.  This means that:

    http://www.example.com/home

    would still be processed by the home script in our doc root, but for:

    http://www.example.com/home/contact_us.html

    apache would actually look for the /home/contact_us.html file in our doc root.

    The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host.  So, for a virtual host listening on port 8080, the apache directives would look like this:

    <VirtualHost *:8080>
        DocumentRoot /web/doc_root
        Alias /home "/web/doc_root/home.php"
        AcceptPathInfo On
    </VirtualHost>

    Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off.  The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host.  This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.
    up
    3
    l0rdphi1 at liquefyr dot com
    16 years ago
    More fun includes files without file extensions.

    Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set.

    Oh yea, it gets even better when you play with stuff like the following:

    <?php
    substr
    ($_SERVER['PATH_INFO'],1);
    ?>

    e.g. www.example.com/somepage/55

    And:

    <?php
    foreach ( explode('/',$_SERVER['PATH_INFO']) as $pair ) {
        list(
    $key,$value) = split('=',$pair,2);
       
    $param[$key] = stripslashes($value);
    }
    ?>

    e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc

    Enjoy =)
    up
    2
    istvan dot takacsNOSPAM at hungax dot com
    18 years ago
    And use the
    ServerTokens min
    directive in your httpd.conf to hide installed PHP modules in apache.
    up
    2
    m1tk4 at hotmail dot com
    17 years ago
    I usually do:

    <code>
    RewriteEngine on<br>
    RewriteOptions inherit<br>
    RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br>
    </code>

    in .htaccess. You'll need mod_rewrite installed for this .
    up
    1
    benjamin at sonntag dot fr
    15 years ago
    In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file :

    DefaultType  application/x-httpd-php
    up
    -1
    php at user dot net
    16 years ago
    What about this in a .htaccess file :

    RewriteEngine on
    RewriteRule    ^$    /index.php    [L]
    RewriteRule    ^([a-zA-Z0-9\-\_/]*)/$    /$1/index.php    [L]
    RewriteRule    ^([a-zA-Z0-9\-\_/]*)\.(html|htm)$    /$1.php    [L]
    RewriteRule    ^([a-zA-Z0-9\-\_/]*)$    /$1.php    [L]

    Typing "sub.domain.foo/anything" loads "/anything/index.php" if 'anything' is a directory, else it loads "/anything.php".

    I'm sure you can find mutch better, but it works great on my site :)
    up
    -2
    simon at carbontwelevedesign dot co dot uk
    13 years ago
    I use the following in the .htaccess document

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    then the following simple code

    <?php

    $permalinks
    = explode("/",$_SERVER['REQUEST_URI']);

    $varone = $permalinks[1];
    $vartwo = $permalinks[2];

    ...

    ?>
    up
    -2
    php at vfmedia dot de
    15 years ago
    I?ve found an easy way to hide php code and the uri is searchable by google and others...(only for unix or linux)

    At first I have some rules in my hide.conf (i made an extra .conf for it (apache 2.0))

    For example when I want to mask the index.php

    <Files index>
    ForceType application/x-httpd-php
    </Files>

    My problem is, that my code should be readable...

    so I made an extra folder for example srv/www/htdocs/static_output

    My phpcode is in the includefolder....(for ex. mnt/source/index.php)

    Then I made a link in the shell  > ln mnt/source/index.php srv/www/htdocs/static_output/index

    So the code is readable (with .php extension) in my includefolder and there is only the link in the srv folder without extension(which is called by the browser...).
    up
    -4
    jtw90210
    14 years ago
    In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf.

    AddType application/x-httpd-php .php .html
    AcceptPathInfo On

    Try it out with your phpinfo page and you'll be able to search for PATH_INFO.

    http://example.com/myphpinfo.php/showmetheway

    If you want to drop the .php use one or both of these:
    DefaultType application/x-httpd-php
    ForceType application/x-httpd-php
    up
    -5
    Bryce Nesbitt at Obviously.COM
    17 years ago
    Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension:

    (1) Don't hard code file types at all.  Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format:
         www.xxxxxx.com/page
        www.xxxxxx.com/directory/
    This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type.

    (2) In an Apache .htaccess file use:
        RewriteEngine on
        RewriteRule page.html page.php

    (3) Force the webserver to interpret ALL .html files as .php:
        AddType application/x-httpd-php .php3 .php .html
    up
    -3
    omolewastephen at gmail dot com
    2 years ago
    I used this on my site and it works great for me

    # RewriteEngine on

    # Rewrite /foo/bar to /foo/bar.php
    # RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]

    # Return 404 if original request is /foo/bar.php
    # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
    # RewriteRule .* - [L,R=404]

    # NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
    # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]
    up
    -6
    sth at panix dot com
    17 years ago
    The flipside to this is, if you're running a version of
    PHP/Apache which is not known to have exploitable bugs (usually the latest stable version at the time), and an attacker sees this, they may give up before even trying. If they don't, they may continue to attempt their exploit(s).

    It really depends on the type of attacker. The educated, security advisory reading attacker vs. script kiddie on the street.

    If you're keeping up on patches, version exposition should not be a problem for you.
    up
    -12
    Ryan
    8 years ago
    Another way to hide php is by removing the extension completely, like so:

    Options +FollowSymlinks
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule ^(.+)$ /$1.php [L,QSA]

    Hope this helps!
    up
    -16
    Raz
    12 years ago
    May some servers not allow you to put this line (i.e this not work)

    AddType application/x-httpd-php .asp .py .pl
    or
    DefaultType application/x-httpd-php

    so, the alternative method that really a good one is:

    1- In your .htaccess file write:

    RewriteEngine  on
    RewriteBase  /dire/ or just /
    RewriteRule  securename   yourfile\.php  [T=application/x-httpd-php]

    example: all url like
    www.example.com/securename  parsed as
    www.example.com/yourfile.php

    2- but here the $_GET not work, but $_POST work, so for dynamic pages like
    www.example.com/yourfile.php?page=1 you use
    www.example.com/securename?page=1

    now: instead of using $_GET use
    <?php
    $uri        
    = $_SERVER['REQUEST_URI'];
    $page        = strstr($uri, '=');
    $page        = substr($page, 1);
    $valid_pages = array('1', '2','...');
    $page        = in_array($page, $valid_pages) ? $page : '1';
    //....
    ?>

    and for bad URL you can add this code to .htaccess file
    of coarse below the first code in .htaccess
    #--
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^.*$ http://www.example.com/securename [L]
    To Top
    阆中| 桂平| 靖西| 洛浦| 曲沃| 青川| 天祝| 都匀| 博湖| 长阳| 桐梓| 左云| 循化| 墨竹贡卡| 石棉| 宽甸| 和林格尔| 格尔木| 陵县| 陈巴尔虎旗| 清水河| 岳西| 延津| 绥化| 汝州| 东兴| 正定| 铁卜加寺| 威信| 青河| 昌乐| 土默特左旗| 兴县| 成武| 顺义| 漳浦| 无极| 英山| 卓尼| 阳朔| 天峻| 临澧| 泊头| 山南| 太湖| 括苍山| 巴南| 梁平| 连平| 永嘉| 睢阳区| 邱县| 重庆| 宕昌| 镇赉| 神农架| 庄河| 枞阳| 宁南| 大武| 烟筒山| 田林| 太原古交区| 洞头| 灵璧| 嘉祥| 辽阳县| 清原| 务川| 吉木萨尔| 通州| 敦化| 吴江| 韶关| 丹东| 锡林高勒| 眉山| 魏山| 双江| 崇左| 汉源| 谷城| 吴忠| 高邑| 花都| 民勤| 台山| 武强| 吕泗| 长寿| 延长| 共和| 赣州| 自贡| 潞江坝| 桂阳| 丹寨| 遂宁| 德清| 文登| 古县| 德阳| 炮台| 盈江| 永寿| 开阳| 大连| 昌吉| 永新| 永顺| 西充| 澄迈| 云县| 珙县| 建阳| 鹰潭| 彭泽| 方城| 乌审召| 浠水| 大足| 崇信| 河口| 博乐| 罗甸| 陆良| 江津| 乌伊岭| 元阳| 苏家屯| 和龙| 甘南| 江川| 大冶| 满洲里| 叙永| 丁青| 云龙| 延川| 东至| 双阳| 策勒| 嘉兴| 曲江| 房山| 平乐| 五华| 元阳| 巴塘| 赤壁| 聊城| 察哈尔右翼中旗| 朱日和| 洛浦| 那仁宝力格| 东阳| 博山| 吉首| 伊金霍洛旗| 炮台| 淅川| 宜城| 新化| 沙坪坝| 斗门| 关岭| 宜昌| 漠河| 名山| 环县| 新民| 闽侯| 浑源| 婺源| 青龙山| 商都| 昭觉| 呼和浩特市郊区| 海南| 武平| 巴南| 乐东| 顺德| 威远| 江山| 西宁| 乌审召| 金坛| 浚县| 大石桥| 盂县| 引水船| 海伦| 沅陵| 东平| 兰考| 金阳| 台山| 新丰| 屏山| 蒲江| 东岗| 龙胜| 怀宁| 周口| 和林格尔| 蔡家湖| 永州| 韩城| 镇宁| 华山| 贞丰| 草河口| 惠东| 阜新| 元氏| 涞源| 翁牛特旗| 驻马店| 密云上甸子| 永顺| 金昌| 东港| 宝应| 杭锦旗| 盖州| 永康| 元谋| 阜城| 泰州| 同安| 信丰| 贵溪| 余杭| 惠农| 浚县| 江宁| 南皮| 壤塘| 当雄| 合川| 松滋| 南沙岛| 绿春| 高淳| 潮州| 梨树| 英吉沙| 乌兰浩特| 临安| 泸县| 海渊| 琼山| 雷波| 白云| 德化| 烟台| 额济纳旗| 青铜峡| 江城| 越西| 宜川| 西沙| 冕宁| 丰宁| 鹿邑| 东沙岛| 鹤峰| 弥勒| 林西| 麦盖提| 攸县| 保靖| 苏州| 洋县| 东宁| 茂名| 宁县| 津南| 塔城| 墨江| 米林| 锦屏| 潞西| 清水| 仙居| 乐山| 汕头| 扶绥| 肇庆| 建宁| 长泰| 滨海| 灵邱| 兰坪| 长兴| 孝义| 陆丰| 宁阳| 富顺| 固安| 太康| 上思| 西乌珠穆沁旗| 澜沧| 伊金霍洛旗| 普格| 巴中| 泸州| 株洲| 来凤| 墨玉| 准格尔旗| 索县| 那仁宝力格| 河口| 乐陵| 饶平| 开封| 大城| 鹤壁| 临武| 沁县| 昆山| 宣汉| 华坪| 抚顺| 明水| 蔚县| 乌拉特后旗| 常州| 栾川| 呼图壁| 莎车| 大关| 岳普湖| 三河| 泰和| 汤原| 大荔| 南平| 壤塘| 元谋| 巴盟农试站| 龙山| 新龙| 新邵| 长丰| 句容| 尉犁| 巴林右旗| 绛县| 方正| 武平| 蔚县| 华容| 西安| 安义| 东莞| 北安| 扶风| 房县| 梅州| 龙泉驿| 绛县| 伊和郭勒| 大武口| 诸暨| 苍南| 若羌| 横山| 凌云| 玉屏| 临汾| 长宁| 临朐| 连江| 松江| 西华| 池州| 泸西| 五寨| 乌鲁木齐牧试站| 宁安| 二连浩特| 广水| 郸城| 加查| 山阴| 腾冲| 闽清| 三河| 邵阳县| 香日德| 永平| 宝过图| 尤溪| 道孚| 罗江| 琼海