security.hiding.html

php的帮助文档,涉及到PHP的案例和基本语法,以及实际应用内容

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <title>Hiding PHP</title>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 </head>
 <body><div style="text-align: center;">
 <div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div>
 <div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div>
 <div class="up"><a href="security.html">Security</a></div>
 <div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div>
   <h1>Hiding PHP</h1>

   <p class="para">
    In general, security by obscurity is one of the weakest forms of security.
    But in some cases, every little bit of extra security is desirable.
   </p>
   <p class="para">
    A few simple techniques can help to hide PHP, possibly slowing
    down an attacker who is attempting to discover weaknesses in your
    system. By setting expose_php = off in your <var class="filename">php.ini</var> file, you
    reduce the amount of information available to them.
   </p>
   <p class="para">
    Another tactic is to configure web servers such as apache to
    parse different filetypes through PHP, either with an <var class="filename">.htaccess</var>
    directive, or in the apache configuration file itself. You can
    then use misleading file extensions:
    <div class="example">
     <p><b>Example #1 Hiding PHP as another language</b></p>
     <div class="example-contents">
<div class="cdata"><pre>
# Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl
</pre></div>
     </div>

    </div>
    Or obscure it completely:
    <div class="example">
     <p><b>Example #2 Using unknown types for PHP extensions</b></p>
     <div class="example-contents">
<div class="cdata"><pre>
# Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t
</pre></div>
     </div>

    </div>
    Or hide it as HTML code, which has a slight performance hit because
    all HTML will be parsed through the PHP engine:
    <div class="example">
     <p><b>Example #3 Using HTML types for PHP extensions</b></p>
     <div class="example-contents">
<div class="cdata"><pre>
# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html
</pre></div>
     </div>

    </div>
    For this to work effectively, you must rename your PHP files with
    the above extensions. While it is a form of security through
    obscurity, it&#039;s a minor preventative measure with few drawbacks.
   </p>
  </div>
<hr /><div style="text-align: center;">
 <div class="prev" style="text-align: left; float: left;"><a href="security.magicquotes.disabling.html">Disabling Magic Quotes</a></div>
 <div class="next" style="text-align: right; float: right;"><a href="security.current.html">Keeping Current</a></div>
 <div class="up"><a href="security.html">Security</a></div>
 <div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>