By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,775 Members | 1,325 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,775 IT Pros & Developers. It's quick & easy.

htm Extension

P: n/a
Can I configure Apache to recognize PHP Code in a page with an .htm
extension? If so, how do I do it?

Thanks.

Bruce
Jul 17 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Bruce A. Julseth wrote:
Can I configure Apache to recognize PHP Code in a page with an .htm
extension? If so, how do I do it?

Thanks.

Bruce


..htaccess file (in the directory where you want to enable it) should
contain the following:

AddType application/x-httpd-php .htm

No need to do it for the sub-directories, it's recursive.

--
Justin Koivisto - ju****@koivi.com
http://koivi.com
Jul 17 '05 #2

P: n/a
Be careful when you make a change like that. When you suddenly make
non-executable files executable, you could introduce very serious
vulnerabilities.

For example, say you have log analyser that produces .htm files. In the
reports, the names of the browsers are listed. If the analyser doesn't
properly escape the user-agent field, then an attacker can inject PHP
code into your site.

Jul 17 '05 #3

P: n/a
I agree with Chung, this is a rather non-standard and risky kind of
change to make. Be sure to review your alternatives before choosing
this action.

~D

Jul 17 '05 #4

P: n/a
Could you elaborate on that? How would a person be able to inject code
because
of an improperly escaped field?

And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?

Or for that matter, would a .php file be immune from this exploit?

Jul 17 '05 #5

P: n/a
> Could you elaborate on that? How would a person be able to inject code
because
of an improperly escaped field?

And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?

Or for that matter, would a .php file be immune from this exploit?


These vunrubilities do exist however it is a little different because
you are adding a scripting language to a filetype that is not ment to
have a scripted language and is not default behavior.

However, most clients should always make sure to escape a field but here
is the problem.

Someone sends there user agent as: <?php echo('hi); ?> (would most
likely be worse) and then all of a sudden for your useragent in a log
writer could show that. Now when that is parsed through php, obviously
you are going to get "hi".

Now when the useragent is used in php you can not execute anything
because you are either parsing the value from the database or just using
the $_SERVER variable to retrieve the string. Now I say string because
all PHP things of it is that it is a string.

I hope that helps and clarifies things a bit.

Mike
Jul 17 '05 #6

P: n/a

"Bruce A. Julseth" <br***********@attglobal.net> wrote in message
news:42********@news1.prserv.net...
Can I configure Apache to recognize PHP Code in a page with an .htm
extension? If so, how do I do it?

Thanks.

Bruce


Thanks for the help.. I guess I'll remain using PHP as my extension.

Thanks again..
Jul 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.