Choose your file extension carefully

PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even wom.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files.

If you are running Apache, you can change your file extension by changing this line:

AddType application/x-httpd-php .php

The .php part can be changed to .html, .foo, or whatever else you want - be creative!

Author's Note: Using something other than .php as your file extension is nothing more than security through obscurity, a technique most people would argue against. However, as long as changing the file extension is not your only form of defence, there's no reason not to use it - every little helps, and if it deters just 1% of hackers from trying to break into your site then you should be pleased.


Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Put key files outside your document root >>

Previous chapter: register_globals

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.