Thursday, November 20, 2008

How to hide php extensions

Hiding php extensions is a really good thing to do. Not only it makes your website more search engine friendly and professional looking but it makes it safer!

Why does it make it safer one might ask? My answer is because it hides your php pages and doesn't let the attackers directly communicate them and test passing different parameters as variables to your pages and test result!

Let me make it more clear, let's say you have a page that shows a pice of news, your page should look like this news.php?id=85

Now an attacker can simply change that id to anything that he wants, he can change it to a string instead of a number, he can try to do some SQL injections or other nasty things, but if you hide your page, the same page will look something like news/85 or even news/85.html

Now many attackers will just assume your page is a html file and stop trying to hack you to begin with. However if they continue, they will not be able to see any desirable results because trying a string instead of 85 will give them a 404 error!

In other words you are adding another security layer to your php files, there are good ways to stop sql injection within php but adding another security layer is always better especially if your website is under heavy attack! It's like having more rows of soldiers in a war!

You can hide your php extensions by using apache's .htaccess file capabilities, you should also know regular languages to use this feature effectively. Here is a sample I have used for one of my projects

Options +FollowSymlinks
RewriteEngine on
RewriteRule ^([0-9]+)\.aspx$ foo.php?id=$1

Here the users will see news/85.aspx in their browsers, but apache will redirect 85 to my foo.php file and then show the results from that page!

So not only I have kept my foo.php save from visitors, and not only hackers have no chance of passing anything but one numerical value to my php, I have also made hackers think I'm using asp.net instead of php, so they will be trying to use their asp.net knowledge to hack a php based application, which is a hard thing to do.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)