According to this advisory, .pht files can be used to execute PHP code:https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/
However, I am unable to find much information on this file format. I am also unable to get an Apache server running PHP to execute this file.
Does anyone have more information regarding this file format?
It's not used much. This is a quote from file-extensions.org
The PHT file stores HTML page that includes a PHP script, dynamically generates HTML, often by accessing database information.
PHT seems to be very little used format.
These days, you're more likely to see .phtml files. Where there is a mix of PHP and HTML in the file, it still needs to be parsed by the PHP processor to create the right output.
I am not aware of a web server that handles PHT files with the PHP handler by default. Given their nature it's much more likely that they would be templates, included from another PHP file.
In this use case, the included file can have any extension the developer desires and there could be no official association.
Related
I named a file index.php while writing an app that uses PHP, Javascript and jQuery. In the end I realized there is no PHP code in the index.php file, so I changed the file extension to .html and, after some testing, it seems there are no problems.
Everything that touches the HTML in the index.html file is JavaScript. I'm reading fields from a form, writing to a MySQL database, and then reading the database and writing back to the HTML. The JavaScript is making Ajax requests to various PHP files.
If I use the filename index.html, am I likely I run into trouble if I move the files to a different Web server?
There is no reason to give a file a .php file extension if it doesn't contain any PHP.
There are various different reasons not to build your page so it only works if JavaScript is available though (which implies that the file should contain PHP, given that is your server side language of choice).
I prefer .php because if you want after time add some php code there you just cant.In .html cant be php code.
I know that PHP's include/require statements can append other .php files into the script, either from a local path or an url.
Today i tried to include and also to require a .ddf (a text file), and it worked, with no errors or warnings. Then PHP actually executed some code that was in that file!
After that i went into the PHP's documentation for include to see if including non-php files is fully supported and safe. Turns out that, the documentation barely mentions this procedure (include 'file.txt'; // Works.) that's it.
So i'm asking you guys, Is including non-php files safe? Also is it a bad practice?
I just want to say that it is completely unsafe. While yes, as long as you trust the page, you technically could do this. But the page when pulled up directly in the browser isn't parsed as php. Anyone who goes directly to the file in the web server, whether guessing or you made a framework or they just know some file names, would see the complete source of the file. Exposing your site and possibly releasing sensitive information like database credentials. Another thing to think about is that people are usually pretty good about not allowing *.php files to be uploaded to their site, but just imagine you are allowing other files to be included and someone uploads a text file named "someImage.jpg" with php script in it and for some dumb reason you include it. People now have a way to execute scripts on your server. Likely including calling shell commands (exec). It used to be common practice to use *.inc files to specify includes but that has been considered bad for quite a long time.
It is not advisable to include txt files in php scripts. Instead, you should use file_get_contents.
If someone could point out what I'm missing here, that would be appreciated
I'm new but I haven't encountered a situation where wrongly naming a html file as php can be bad.
Perhaps it's just less confusing for developers?
If you've a web server that understands the .php file extension and has the necessary PHP module installed, there's no issue with simply renaming a .html file to .php (as long as all links to it are also renamed accordingly).
However there's absolutely no benefit in doing this (and I'd dispute any meaningful UX benefit from the user's perspective), as it'll mean that the web server will need to invoke the PHP module to parse the file. This will be a waste of time and memory, as it's just a plain HTML file.
PHP files are sent to be evaluated after the browser requests them whereas HTML files are directly given to the browser.
So if there is no PHP code in your .php file, you are still sending it to be evaluated, though it doesn't do much to the loading time of the page, if anything.
On a standard LAMP stack, do .php files without any PHP in them get passed to the PHP interpreter?
In other words, is there a performance/processing loss for creating a .php file without actually including any PHP in it, versus just making it a .html file?
On a standard LAMP stack, do .php files without any PHP in them get passed to the PHP interpreter?
Yup - after all, no other component except for the PHP parser is fit to decide whether the file contains PHP!
In other words, is there a performance/processing loss for creating a .php file without actually including any PHP in it, versus just making it a .html file?
Potentially, yes, although it will be minimal in most cases unless you have really, really loads of traffic.
I have a series of web sites all hosted on the same server with different domains. I want to host some common PHP scrips and then be able to call these from the other domains.
Im am a bit fresh with my php so pls excuse code attempts - I have tried iterations of the following which may try and help you understand what I am aiming for!
from within php tags ...
include('http://www.mydomain/common_include.php?show_section=$section');
$show_section = $_GET['show_section'];
include('http://www.mydomain/common_include.php');//Then $show_section would be available to the included file/cod
Finally I have tried pulling in the include which contains a function then trying to run that include from the parent script.
I would much prefer to keep this PHP
orientated rather than getting
involved with the server (file
systems etc (but I can change
permissions etc)
I can but would prefer not to just upload the same library to each of the domains separately
I understand PHP is run on the server hence maybe problematic to include scripts across onto another server.
Thanks in advance.
#
EDIT
OK OK - I get that its bad practice so will not do it....THANKS VERY MUCH FOR THE QUICK ANSWERS.
However is there any other recommendations of how to esentially show this basic php app on all of the sites with out haveing to add the files to the root of each site? Just to prevent massive script duplication...(thinking out loud call the scripts in from a db or anyother soloutions)
Again thanks for your assistance
That would be a huge security risk if you could just include remote PHP files to your own projects. The PHP gets parsed before the server sends it to you so cross-domain includes would only contain the output the script generates. The only way to include PHP files so that they can be executed is via local filesystem.
If you look at PHP.net's documentation about include, you can find this:
If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see List of Supported Protocols/Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.
Which pretty much explains the whole thing.
The root of the original question seemed to be the poster's concern about using a PHP script or plugin on multiple sites and then having an onerous task each time it needs to be updated. While trying to include PHP files across sites is a bad idea, it is a better plan to structure your script to be as self contained as possible. Keep the entire plugin contained in one directory.... and ensure your function calls to utilize it are as well formed as possible - clean, well named functions, uniform naming conventions and a well thought out plan for what parameters each function needs. Avoid using global variables.
Ideally you should then have quite an easy time each time you need to update the plugin/script in all locations. You can even set up an automated process that will upload the new directory containing the plugin to each site replacing the old one. And the function calls within your code should rarely if ever change.
If your script is big enough you might implement an automatic update process like the more recent versions of Wordpress use. Click a button and it updates itself. In the past, updating a dozen sites running Wordpress (as an example) was a massive pain.
That is very bad practice.
Actually you're including not PHP but just HTML code.
Include files, not urls. It is possible for the same server.
Just use absolute path to these files.
Apart from the fact that it's a bad practice you should first check if include allows URLs if you really want to do that.
If however all the sites that need to use the script, you could put the script somewhere in a directory accessible by the user that executes php and add that dir to the php.ini include_path property (can also be done at runtime)
(Or you could create a php extension and load it as extension)
If you have root rights on that server, you could just use absolute path from filesystem root, but most hostings won't let you do this.