469,304 Members | 2,303 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,304 developers. It's quick & easy.

Hiding PHP extension

I'm supposed to hide the php extension in a file (like Yahoo! or
Google). For example, http://foo.com/foo instead of
http://foo.com/foo.php. I have read various articles including
<http://in2.php.net/security.hiding> . Certainly mod_rewrite is not
the right option. In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is? Is there
any other options to do the same? TIA

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #1
21 6265
R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:
I'm supposed to hide the php extension in a file
(like Yahoo! or Google). For example, http://foo.com/foo
instead of http://foo.com/foo.php.


Use http://foo.com/foo/ instead.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #2
On Fri, 02 Apr 2004 10:21:15 +0000, Tim Tyler wrote:
R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:
I'm supposed to hide the php extension in a file
(like Yahoo! or Google). For example, http://foo.com/foo
instead of http://foo.com/foo.php.


Use http://foo.com/foo/ instead.

This will fail.. as it will look for a directory. The OP has it right..
and I don't forsee any issues with the way they have it.. although I maybe
missing some hidden issues.

Regards,

Ian

--
Ian.H
digiServ Network
London, UK
http://digiserv.net/

Jul 17 '05 #3
R. Rajesh Jeba Anbiah wrote:
For example, http://foo.com/foo instead of
http://foo.com/foo.php. Is there
any other options to do the same? TIA


I do:

..htaccess in DocumentRoot

ErrorDocument 404 /notfound.php
and /notfound.php

<?php
// validate $_SERVER['REQUEST_URI']
// and either {
// show some specific page/data
// } or {
// show error message
// }
?>

So if you go to http://example.com/foo and /foo does not exist,
/notfound.php will take control and can include/require or redirect to
/foo.php

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #4
Pedro Graca wrote:
Is there
any other options to do the same? TIA


I do:

.htaccess in DocumentRoot

ErrorDocument 404 /notfound.php
and /notfound.php

<?php
// validate $_SERVER['REQUEST_URI']
// and either {
// show some specific page/data
// } or {
// show error message
// }
?>

So if you go to http://example.com/foo and /foo does not exist,
/notfound.php will take control and can include/require or redirect to
/foo.php


Wouldn't this just return a 404 header and the content (thereby telling
any search engines to remove it from their list as you wouldn't normally
have valid content in a 404 page).

Cheers,
Andy
Jul 17 '05 #5
Andy Jeffries wrote:
Pedro Graca wrote:
I do:

.htaccess in DocumentRoot

ErrorDocument 404 /notfound.php
and /notfound.php

<?php
// validate $_SERVER['REQUEST_URI']
// and either {
// show some specific page/data
// } or {
// show error message
// }
?>
Wouldn't this just return a 404 header and the content (thereby telling
any search engines to remove it from their list as you wouldn't normally
have valid content in a 404 page).


Yes, it would ... unless you also send a

header('HTTP/1.0 200 OK');

which overrides Apache's behaviour.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #6
On 1 Apr 2004 22:08:14 -0800, ng**********@rediffmail.com (R. Rajesh Jeba
Anbiah) wrote:
In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is?


I've been using this for a while and have had no problem with it. Just
remember to set Options MultiViews.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #7
put this in an .htaccess file

DefaultType application/x-httpd-php

This will make all unknow filetype to be considered as php file.

Savut

"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
I'm supposed to hide the php extension in a file (like Yahoo! or
Google). For example, http://foo.com/foo instead of
http://foo.com/foo.php. I have read various articles including
<http://in2.php.net/security.hiding> . Certainly mod_rewrite is not
the right option. In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is? Is there
any other options to do the same? TIA

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com


Jul 17 '05 #8
On Fri, 2 Apr 2004 14:16:01 -0500, "Savut" <we***@hotmail.com> wrote:
put this in an .htaccess file

DefaultType application/x-httpd-php

This will make all unknow filetype to be considered as php file.


This really isn't a good idea.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #9
But this is what you HAVE TO DO to do it, you just have tu put your files
and the .htaccess file in a special folder, and this rule apply only to the
folder, just like the cgi-bin works. That's what major compagny do, and it
work more normaly than the others solutions as the rule is designed for to
do this job.

Savut

"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:i3********************************@4ax.com...
On Fri, 2 Apr 2004 14:16:01 -0500, "Savut" <we***@hotmail.com> wrote:
put this in an .htaccess file

DefaultType application/x-httpd-php

This will make all unknow filetype to be considered as php file.


This really isn't a good idea.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space


Jul 17 '05 #10
On Fri, 2 Apr 2004 15:15:16 -0500, "Savut" <we***@hotmail.com> wrote:
"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:i3********************************@4ax.com.. .
On Fri, 2 Apr 2004 14:16:01 -0500, "Savut" <we***@hotmail.com> wrote:
put this in an .htaccess file

DefaultType application/x-httpd-php

This will make all unknow filetype to be considered as php file.


This really isn't a good idea.


But this is what you HAVE TO DO to do it, you just have tu put your files
and the .htaccess file in a special folder, and this rule apply only to the
folder, just like the cgi-bin works. That's what major compagny do, and it
work more normaly than the others solutions as the rule is designed for to
do this job.


What's wrong with using Options MultiViews?

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #11
Because you dont control how Apache find the next file when he dont file
your file.

[...]
The effect of MultiViews is as follows: if the server receives a request for
/some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does
not exist, then the server reads the directory looking for files named
foo.*, and effectively fakes up a type map which names all those files,
assigning them the same media types and content-encodings it would have if
the client had asked for one of them by name. It then chooses the best match
to the client's requirements.
[...]

And also, Multiviews, his job is to send a file when something is not found,
but that is looking similar than the file that was requested, if you want
http://www.domain.com/foo and it dont exist, the server will search for
http://www.domain.com/foo.txt or http://www.domain.com/foo.php,
http://www.domain.com/foo.dat, and so on until he find one.If you have
something like foo.txt and a file foo, what will happen, who come first ?
And for performance, it is sure slower as the server has to try all the
cases.

I dont said it wont work, but that not the right way to do it.

Savut

"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:f3********************************@4ax.com...
On Fri, 2 Apr 2004 15:15:16 -0500, "Savut" <we***@hotmail.com> wrote:
"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:i3********************************@4ax.com. ..
On Fri, 2 Apr 2004 14:16:01 -0500, "Savut" <we***@hotmail.com> wrote:

put this in an .htaccess file

DefaultType application/x-httpd-php

This will make all unknow filetype to be considered as php file.

This really isn't a good idea.


But this is what you HAVE TO DO to do it, you just have tu put your files
and the .htaccess file in a special folder, and this rule apply only to
the
folder, just like the cgi-bin works. That's what major compagny do, and
it
work more normaly than the others solutions as the rule is designed for to
do this job.


What's wrong with using Options MultiViews?

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space


Jul 17 '05 #12
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
I'm supposed to hide the php extension in a file (like Yahoo! or
Google). For example, http://foo.com/foo instead of
http://foo.com/foo.php. I have read various articles including
<http://in2.php.net/security.hiding> . Certainly mod_rewrite is not
the right option. In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is? Is there
any other options to do the same? TIA


Why isn't mod_rewrite the right option?
Jul 17 '05 #13
<previous post>
I'm supposed to hide the php extension in a file (like Yahoo! or
Google). For example, http://foo.com/foo instead of
http://foo.com/foo.php. I have read various articles including
<http://in2.php.net/security.hiding> . Certainly mod_rewrite is not
the right option. In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is? Is there
any other options to do the same? TIA

</previous post>
Many thanks to all the experts who answered in this thread. The
advantage I have found in MultiViews (thanks for correcting:-)) is
that we can use $_SERVER['PHP_SELF'] and other variables instead of
hard coding the links. Similarly, I hope, in Savut's suggestion also,
there won't be much problem. While searching I read one of the article
which says, Yahoo! uses some strange extensions like .unknown 'coz of
security and then apply mod_rewrite; but not sure about it and the
performance, In that case, they may hard code the links (they may not
use $_SERVER['PHP_SELF'] or so).

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #14
Ian.H <ia*@windozedigiserv.net> wrote or quoted:
On Fri, 02 Apr 2004 10:21:15 +0000, Tim Tyler wrote:
R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:
I'm supposed to hide the php extension in a file
(like Yahoo! or Google). For example, http://foo.com/foo
instead of http://foo.com/foo.php.


Use http://foo.com/foo/ instead.


This will fail.. as it will look for a directory.


Uh - that was the point.

The most correct way to encapuslate files using a web server (so their
extensions are not directly exposed to the client) is to use index files
in directories.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #15
"Chung Leong" <ch***********@hotmail.com> wrote in message news:<vu********************@comcast.com>...
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
I'm supposed to hide the php extension in a file (like Yahoo! or
Google). For example, http://foo.com/foo instead of
http://foo.com/foo.php. I have read various articles including
<http://in2.php.net/security.hiding> . Certainly mod_rewrite is not
the right option. In Apache, "file.php" & "file" are treated as same
(content negotiation??) and like to know, how reliable it is? Is there
any other options to do the same? TIA


Why isn't mod_rewrite the right option?


Applying mod_rewrite results in hard coding the links or force us
to implement a system to taken care of linking. Apart from this major
drawback, it seems to have performance constraints too (few articles
hint this).

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #16
> Ian.H <ia*@windozedigiserv.net> wrote or quoted:
On Fri, 02 Apr 2004 10:21:15 +0000, Tim Tyler wrote:
R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted: I'm supposed to hide the php extension in a file
> (like Yahoo! or Google). For example, http://foo.com/foo
> instead of http://foo.com/foo.php.

Use http://foo.com/foo/ instead.


This will fail.. as it will look for a directory.


I could see, that Ian's and few others' messages are not appearing
in Google Groups (for example
<http://groups.google.com/groups?threadm=abc4d8b8.0404012208.76ebdba7%40post ing.google.com>).
By any chance, their News Reader may be configured with "X-No-archive"
headers <http://www.google.com/googlegroups/help.html#prevent> . If
that is the case, I suggest to remove it. Thanks.

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #17
DefaultType application/x-httpd-php is more better

Imagine your application contain lot of files and you need something like

http://www.domain.com/openWork/submit?var1=true&var2=10
http://www.domain.com/openWork/list?num=30
http://www.domain.com/openWork/docha...ion=1234455632

Yahoo work like this way and most big corporate do also to hide their
application extension.

But again, the way they do it is using cgi-directory. If you have
configured PHP this way and configurer Apache to handle it, you can do the
same than them, just put this on the first line of your php files
#!/usr/bin/php or #!c:/php/bin/php.exe (windows)
then the server will call php to process these files, so the extensions are
not used. You can decide to not use any extension.

Savut

"Tim Tyler" <ti*@tt1lock.org> wrote in message news:Hv********@bath.ac.uk...
Ian.H <ia*@windozedigiserv.net> wrote or quoted:
On Fri, 02 Apr 2004 10:21:15 +0000, Tim Tyler wrote:
> R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted: >> I'm supposed to hide the php extension in a file
>> (like Yahoo! or Google). For example, http://foo.com/foo
>> instead of http://foo.com/foo.php.
>
> Use http://foo.com/foo/ instead.


This will fail.. as it will look for a directory.


Uh - that was the point.

The most correct way to encapuslate files using a web server (so their
extensions are not directly exposed to the client) is to use index files
in directories.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.


Jul 17 '05 #18
Savut <we***@hotmail.com> wrote or quoted:

[Re: "Hiding PHP's extension? Use http://foo.com/foo/"]
DefaultType application/x-httpd-php is more better

Imagine your application contain lot of files and you need something like

http://www.domain.com/openWork/submit?var1=true&var2=10
http://www.domain.com/openWork/list?num=30
http://www.domain.com/openWork/docha...ion=1234455632

Yahoo work like this way and most big corporate do also to hide their
application extension.


I would use www.domain.com/openWork/list/?num=30

That way it still works if you don't have access to the innards
of the webserver - if .htaccess is turned off on security grounds,
or if your webesrver is shared - and different clients have
conflicting needs about what is the default handler.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #19
If someone can't use .htaccess because the hosting prohibit it, well I
suggest to change the hosting company because he miss a lot of features that
an .htaccess file can do. :D

Savut

"Tim Tyler" <ti*@tt1lock.org> wrote in message news:Hv********@bath.ac.uk...
Savut <we***@hotmail.com> wrote or quoted:

[Re: "Hiding PHP's extension? Use http://foo.com/foo/"]
DefaultType application/x-httpd-php is more better

Imagine your application contain lot of files and you need something like

http://www.domain.com/openWork/submit?var1=true&var2=10
http://www.domain.com/openWork/list?num=30
http://www.domain.com/openWork/docha...ion=1234455632

Yahoo work like this way and most big corporate do also to hide their
application extension.


I would use www.domain.com/openWork/list/?num=30

That way it still works if you don't have access to the innards
of the webserver - if .htaccess is turned off on security grounds,
or if your webesrver is shared - and different clients have
conflicting needs about what is the default handler.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.


Jul 17 '05 #20
Savut <we***@hotmail.com> wrote or quoted:
If someone can't use .htaccess because the hosting prohibit it, well I
suggest to change the hosting company because he miss a lot of features that
an .htaccess file can do. :D


Use of ".htaccess" is *often* turned off - on grounds of performance and
security [1].

I can't see why should I instruct people to change their site hosting so
they can run my software - when there's no need for me to force them to
do so.

Lastly, .htaccess is an apache-specific feature. Apache is not the
only PHP server in existence - and I would prefer my software to be
portable.

[1] ".htaccess files, Apache Tutorial"

``There are two main reasons to avoid the use of .htaccess
files.

The first of these is performance. When AllowOverride is set
to allow the use of .htaccess files, Apache will look in
every directory for .htaccess files. Thus, permitting
.htaccess files causes a performance hit, whether or not you
actually even use them! Also, the .htaccess file is loaded
every time a document is requested.

Further note that Apache must look for .htaccess files in
all higher-level directories, in order to have a full
complement of directives that it must apply. (See section on
how directives are applied.) Thus, if a file is requested
out of a directory /www/htdocs/example, Apache must look for
the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there
are 4 additional file-system accesses, even if none of those
files are present. (Note that this would only be the case if
.htaccess files were enabled for /, which is not usually the
case.)

The second consideration is one of security. You are
permitting users to modify server configuration, which may
result in changes over which you have no control. Carefully
consider whether you want to give your users this privilege.''

- http://httpd.apache.org/docs/howto/htaccess.html
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #21
I talk about .htaccess because that it what most people have access, but if
you have access to Apache conf, it's just better.

Savut

"Tim Tyler" <ti*@tt1lock.org> wrote in message news:Hv********@bath.ac.uk...
Savut <we***@hotmail.com> wrote or quoted:
If someone can't use .htaccess because the hosting prohibit it, well I
suggest to change the hosting company because he miss a lot of features
that
an .htaccess file can do. :D


Use of ".htaccess" is *often* turned off - on grounds of performance and
security [1].

I can't see why should I instruct people to change their site hosting so
they can run my software - when there's no need for me to force them to
do so.

Lastly, .htaccess is an apache-specific feature. Apache is not the
only PHP server in existence - and I would prefer my software to be
portable.

[1] ".htaccess files, Apache Tutorial"

``There are two main reasons to avoid the use of .htaccess
files.

The first of these is performance. When AllowOverride is set
to allow the use of .htaccess files, Apache will look in
every directory for .htaccess files. Thus, permitting
.htaccess files causes a performance hit, whether or not you
actually even use them! Also, the .htaccess file is loaded
every time a document is requested.

Further note that Apache must look for .htaccess files in
all higher-level directories, in order to have a full
complement of directives that it must apply. (See section on
how directives are applied.) Thus, if a file is requested
out of a directory /www/htdocs/example, Apache must look for
the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there
are 4 additional file-system accesses, even if none of those
files are present. (Note that this would only be the case if
.htaccess files were enabled for /, which is not usually the
case.)

The second consideration is one of security. You are
permitting users to modify server configuration, which may
result in changes over which you have no control. Carefully
consider whether you want to give your users this privilege.''

- http://httpd.apache.org/docs/howto/htaccess.html
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.


Jul 17 '05 #22

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by R. Rajesh Jeba Anbiah | last post: by
8 posts views Thread by Pjotr Wedersteers | last post: by
5 posts views Thread by Arnaud Legrand | last post: by
19 posts views Thread by Badr.ALmuzini | last post: by
13 posts views Thread by Matt | last post: by
8 posts views Thread by Frank Rizzo | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.