hidden php file extension

Re: hidden php file extension

Badr.ALmuzini@g mail.com writes:
[color=blue]
> hi,there
>
> how can i make php file extension hidden in the URL somthing like this
> (http://mail.google.com/mail/?view)[/color]

If you do this the parameter ?view is appended the index.php file in
that dir, so it's quite easy, just make sure your index.php
understands ?view. Another way is to make .html (.htm) files to be
parsed as php, then you have index.html but you can actually use
php in the file.

--
Henrik Hansen

Re: hidden php file extension

Henrik suggestions are correct. Another way to mask file extensions is
by using mod_rewrite in apache

Re: hidden php file extension

Henrik Hansen wrote:[color=blue]
> Badr.ALmuzini@g mail.com writes:
>[color=green]
>> hi,there
>>
>> how can i make php file extension hidden in the URL somthing like this
>> (http://mail.google.com/mail/?view)[/color]
>
> If you do this the parameter ?view is appended the index.php file in
> that dir, so it's quite easy, just make sure your index.php
> understands ?view. Another way is to make .html (.htm) files to be
> parsed as php, then you have index.html but you can actually use
> php in the file.
>[/color]
That is not really a good idea as it puts a hugh load on the server. Now
for EVERY .html page apache servers it will have to parse each .html
page for php script, even if the page has no php script in it. This
really increases the load on the server. It all translates to SLOWER
pages. Is that what you really want to achieve?

Re: hidden php file extension

youcantoo <dwm@findmoore. net> writes:
[color=blue]
> Henrik Hansen wrote:[color=green]
>> Badr.ALmuzini@g mail.com writes:
>>[color=darkred]
>>> hi,there
>>>
>>> how can i make php file extension hidden in the URL somthing like this
>>> (http://mail.google.com/mail/?view)[/color]
>> If you do this the parameter ?view is appended the index.php file in
>> that dir, so it's quite easy, just make sure your index.php
>> understands ?view. Another way is to make .html (.htm) files to be
>> parsed as php, then you have index.html but you can actually use php
>> in the file.
>>[/color]
> That is not really a good idea as it puts a hugh load on the
> server. Now for EVERY .html page apache servers it will have to parse
> each .html page for php script, even if the page has no php script in
> it. This really increases the load on the server. It all translates to
> SLOWER pages. Is that what you really want to achieve?[/color]

Do you have any banchmarks for your claims? I use this way and can't
really see any difference at all to be honest. Parsing pages to see if
there is php in it goes VERY fast. Ofcource everything is relative but
in general I think it's a good way of masking files.

You could also just turn it on on the php folders if you have seperate
static content folders, so they dont get treatet as php.

--
Henrik Hansen

Re: hidden php file extension

Henrik Hansen wrote:[color=blue]
> youcantoo <dwm@findmoore. net> writes:
>
>[color=green]
>>Henrik Hansen wrote:
>>[color=darkred]
>>>Badr.ALmuzin i@gmail.com writes:
>>>
>>>
>>>>hi,there
>>>>
>>>>how can i make php file extension hidden in the URL somthing like this
>>>>(http://mail.google.com/mail/?view)
>>>
>>>If you do this the parameter ?view is appended the index.php file in
>>>that dir, so it's quite easy, just make sure your index.php
>>>understand s ?view. Another way is to make .html (.htm) files to be
>>>parsed as php, then you have index.html but you can actually use php
>>>in the file.
>>>[/color]
>>
>>That is not really a good idea as it puts a hugh load on the
>>server. Now for EVERY .html page apache servers it will have to parse
>>each .html page for php script, even if the page has no php script in
>>it. This really increases the load on the server. It all translates to
>>SLOWER pages. Is that what you really want to achieve?[/color]
>
>
> Do you have any banchmarks for your claims? I use this way and can't
> really see any difference at all to be honest. Parsing pages to see if
> there is php in it goes VERY fast. Ofcource everything is relative but
> in general I think it's a good way of masking files.
>
> You could also just turn it on on the php folders if you have seperate
> static content folders, so they dont get treatet as php.
>[/color]

You obviously don't have a very heavily loaded server. You get one with
a few thousand hits/minute and it's a definite hit. How much depends on
the size of the HTML files, the percentage of PHP in the files and a
bunch of other things.

Why do you even care about masking the files, anyway?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: hidden php file extension

Jerry Stuckle <jstucklex@attg lobal.net> writes:
[color=blue]
> Henrik Hansen wrote:[color=green]
>> youcantoo <dwm@findmoore. net> writes:
>>[color=darkred]
>>>Henrik Hansen wrote:
>>>
>>>>Badr.ALmuzi ni@gmail.com writes:
>>>>
>>>>
>>>>>hi,there
>>>>>
>>>>>how can i make php file extension hidden in the URL somthing like this
>>>>>(http://mail.google.com/mail/?view)
>>>>
>>>>If you do this the parameter ?view is appended the index.php file in
>>>>that dir, so it's quite easy, just make sure your index.php
>>>>understan ds ?view. Another way is to make .html (.htm) files to be
>>>>parsed as php, then you have index.html but you can actually use php
>>>>in the file.
>>>>
>>>
>>>That is not really a good idea as it puts a hugh load on the
>>>server. Now for EVERY .html page apache servers it will have to parse
>>>each .html page for php script, even if the page has no php script in
>>>it. This really increases the load on the server. It all translates to
>>>SLOWER pages. Is that what you really want to achieve?[/color]
>> Do you have any banchmarks for your claims? I use this way and can't
>> really see any difference at all to be honest. Parsing pages to see if
>> there is php in it goes VERY fast. Ofcource everything is relative but
>> in general I think it's a good way of masking files.
>> You could also just turn it on on the php folders if you have
>> seperate
>> static content folders, so they dont get treatet as php.
>>[/color]
>
> You obviously don't have a very heavily loaded server. You get one
> with a few thousand hits/minute and it's a definite hit. How much
> depends on the size of the HTML files, the percentage of PHP in the
> files and a bunch of other things.
>
> Why do you even care about masking the files, anyway?[/color]

The goal was to make the best looking urls which meant a .php
extension was out of the picture. But as I said everything is
relative.. our .htm files are purely php. If you mix php and html very
much maybe the performance cost is bigger. I have no numbers of how
much traffic it gets per second but I don't think it's a few
thousand.. although we did test with ab.

--
Henrik Hansen

Re: hidden php file extension

Badr.ALmuzini@g mail.com wrote:[color=blue]
> hi,there
>
> how can i make php file extension hidden in the URL somthing like this
> (http://mail.google.com/mail/?view)
>
> Regard....
>[/color]

Here's what I've done in the past:

(index.php)
switch($_GET['id'])
{
case 'main':
require 'main.php';
break;
case 'about':
require 'about.php';
break;
default:
require 'main.php';
break;
}

then you could type http://yourdomain?id=main

if you really wanted to drop the ID part, you'd have to use multiple
ifs, not a switch.

Just never, ever use unsanitized input from $_GET/$_POST.

ie. this is *bad*:

require '$_GET['id']'.'.php';

bad, bad, bad. Don't. ;)

As for a performance hit, I've never noticed one, but I don't run
large-scale websites, so take my experience with a grain of salt.

Sorry if my PHP isn't up to par, I'm thinking in Ruby lately.

Re: hidden php file extension

Jerry Stuckle:
[color=blue]
> Why do you even care about masking the files, anyway?[/color]

Because filename extensions in URLs are generally worse than useless,
and at least in Apache you need to *do* something (i.e., reconfigure
it) before it will accept "extension-less" URLs.

--
Jock

Re: hidden php file extension

hi, again

thanks for all u pepole

Henrik Hansen
i think this is good solution (making folders for each system) for
module projects.

tihu
thanks for your suggestion but you have to configure the Apache server
so you have to get permission on your hosting to make changes.

youcantoo
i thught that Henrik Hansen idea is to make folder and index.html file
for each forlder we can make also index.php if we need so i think there
will be no huge load on the server, in the other side if there is load
it will be scaled in micro second.

Jerry Stuckle
i think we need masking for confusing pepole whom wanna to try playing
with some web site URL or find other site resources.

burke
i will try your idea.

Re: hidden php file extension

Badr.ALmuzini@g mail.com wrote:[color=blue]
> hi, again
>
> thanks for all u pepole
>
>
> Jerry Stuckle
> i think we need masking for confusing pepole whom wanna to try playing
> with some web site URL or find other site resources.
>[/color]

Masking is not security. Rather, you should implement basic security on your
system.


--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: hidden php file extension

Jerry Stuckle wrote:[color=blue]
> Badr.ALmuzini@g mail.com wrote:[color=green]
>> hi, again
>>
>> thanks for all u pepole
>>
>>
>> Jerry Stuckle
>> i think we need masking for confusing pepole whom wanna to try playing
>> with some web site URL or find other site resources.
>>[/color]
>
> Masking is not security. Rather, you should implement basic security on
> your system.
>
>[/color]
Well, masking is a form of weak security. I understand that it is not
sufficient in most cases but since it removes some information from a
potential attacker, it is a form of security.

-david-

Re: hidden php file extension

David Haynes wrote:[color=blue]
> Jerry Stuckle wrote:
>[color=green]
>> Badr.ALmuzini@g mail.com wrote:
>>[color=darkred]
>>> hi, again
>>>
>>> thanks for all u pepole
>>>
>>>
>>> Jerry Stuckle
>>> i think we need masking for confusing pepole whom wanna to try playing
>>> with some web site URL or find other site resources.
>>>[/color]
>>
>> Masking is not security. Rather, you should implement basic security
>> on your system.
>>
>>[/color]
> Well, masking is a form of weak security. I understand that it is not
> sufficient in most cases but since it removes some information from a
> potential attacker, it is a form of security.
>
> -david-
>[/color]

David,

No, masking is false security.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: hidden php file extension

Jerry Stuckle wrote:[color=blue]
> David Haynes wrote:[color=green]
>> Jerry Stuckle wrote:
>>[color=darkred]
>>> Badr.ALmuzini@g mail.com wrote:
>>>
>>>> hi, again
>>>>
>>>> thanks for all u pepole
>>>>
>>>>
>>>> Jerry Stuckle
>>>> i think we need masking for confusing pepole whom wanna to try playing
>>>> with some web site URL or find other site resources.
>>>>
>>>
>>> Masking is not security. Rather, you should implement basic security
>>> on your system.
>>>
>>>[/color]
>> Well, masking is a form of weak security. I understand that it is not
>> sufficient in most cases but since it removes some information from a
>> potential attacker, it is a form of security.
>>
>> -david-
>>[/color]
>
> David,
>
> No, masking is false security.
>[/color]
Guess we'll agree to disagree.

-david-

Re: hidden php file extension

Jerry Stuckle wrote:[color=blue]
>
> David,
>
> No, masking is false security.
>[/color]

Security through obscurity does not tend to work for very long periods
of time... Jerry is right. It is effectively giving you a false sense
of security in that you feel that you're eliminating information from an
attacker. There are many ways to find out if PHP is running on the
system or not, outside of your control as the application writer. It's
best to just follow the conventions that are out there for web content.
This will keep your application portable, as well as enable the coders
involved to know at a glance what language your modules are written in
when they look at them. If you use PHP, Perl, and Ruby in your
environment, file extensions are a good thing.

If you truly want security, then test your application against different
types of attacks that it can and likely will be subject to.

Check to ensure that you aren't using register_global s so that your
global namespace isn't tainted. Ensure that your application is not
subject to SQL injection attacks. Verify that you're able to spew lots
of garbage at it and get nothing valid back. Ensure that cookies can't
be crafted (if your application uses cookies) by an attacker. Be sure
that your application isn't vulnerable to replay attacks.

Those are some of the points of security that you need to watch out for,
that will heighten your level of safety in operating the application.
The job of keeping things secure, however, is almost never done;
somebody, somewhere, will find ways to get around things, and then you
have to circumvent them. Hopefully, before any compromise is made.

- Mike