I am writing a web application in php using Apache server. What I would like to do is have the index.php (and other files) display as *.aspx files, to confuse potential hackers.
Can this be done by editing the .htaccess file, and if so, what are the relevant lines to edit?
Serving the wrong file extension is not how you would achieve security, as it would not be enough to fool potential hackers. It might not even be enough to fool the guys at builtwith.com.
Instead of researching how to mislead the hackers with simple tricks, research on ways to secure your application better. You can start that at PHP.net and Stack Overflow.
If you insist, you can use Apache mod_rewrite for that.
Something along this line (not tested):
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.aspx -f
RewriteRule ^(.+).aspx$ /$1.php [L,QSA]
Otherwise, you can also add mime-type in Apache to serve *aspx files as PHP.
AddType application/x-httpd-php .aspx
According to this answer, you should add the following to your .htaccess :
AddType application/x-httpd-php .aspx
You can find more info about the AddType directive in the Apache documentation.
Related
I made a website for an sports club in the area. I always ran it on my own server (apache2) when building and testing it and use .htaccess to make some rewrites. Now the website is going live on their server, only problem is they're running on a cgi/fastcgi server...
I'm not that experienced with that kind of IT terms and modifications, so i hope you'll can help me or give me some advice. What is the best way to make the .htaccess work (and the whole website, which also includes php code)? At the moment the website gives an "(IIS 8.5 Detailed Error) HTTP Error 403.14 - Forbidden" error. Also their running PHP7...
Hope somebody can help me!! Thanks!!
.htaccess
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
# redirect while under construction
RewriteCond %{REMOTE_ADDR} !^my\.ip\.addr\.ess$
RewriteCond %{REQUEST_URI} !construction\.html
RewriteRule ^(.*)$ /construction.html [R=302,L]
# remove .html extensions from the URL
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.html [NC,L]
# convert html to php without changing the extension
AddType application/x-httpd-php .htm .html
ErrorDocument 404 /errors/404.html
This has nothing to do with CGI or FastCGI.
.htaccess is an Apache HTTP specific means of configuring your HTTP server.
If you want to configure Microsoft Internet Information Server then you have to use the IIS configuration methods, not Apache configuration methods.
(You are trying to configure three completely different things in your Apache configuration file, so I'm not going to look up detailed instructions for the IIS equivalents of all of them).
Is it bad to use:
ForceType application/x-httpd-php
and to save files without a file extention (e.g. index instead of index.php)? The intention is to hide/remove .php from the URL and to stop users from manually putting e.g. /example.php.
To remove the file extension, add this to the .htaccess :
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
change .php to the proper file extension
new link :
link text
Edit :
Save your files as index.php, about.php, and so on
Yes. Yes it is bad.
The right way to do that is by using mod_rewrite and .htaccess files.
Its not good practice to change extension as it will need configuration for web server each time and so its a portability issue.
You should use .htaccess directives to setup any level of customization.
And in best practice you can route all requests to index.php to avoid direct access of php files.
For simple web application, how can we use ".main" as the URI extention in place of .php or .html ? How can we change example.com/test.php to exmple.com/test.main, without actually renaming the file.
Thanks
You can use the apache extension mod_rewrite. Here's a sample of what you can do.
RewriteEngine On
RewriteRule ^(.*)\.main$ $1.php
This will take any request with the extension .main and actually serve the file with the same name but extension .php.
ModRewrite is a great solution for such things, however, to permanently have a different extension for you PHP files while they are still recognised and executed as PHP, use Apache's SetHandler module.
Options +Indexes
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)\.main$ $1.php [R=301,L]
Also please see this Tutorial: An In Depth Guide to mod_rewrite for Apache http://net.tutsplus.com/tutorials/other/a-deeper-look-at-mod_rewrite-for-apache/
In IIS, you would use the Manage Handlers script to assign the PHP FastCGI executable to .main file extensions.
This question already has answers here:
How to show php-files as plain text in Apache
(5 answers)
Closed 8 years ago.
i want help in this problem
this command not work good can u help me
i have new folder on my website under this name
"TextPHP"
and i put this code in .htaccess
RewriteRule ^(.*) /home/myhome/public_html/$1.php [L,T=text/plain]
i want any one go to that folder can read any source from my php files
and this not work
i try H=text/plain
and i got error 500
also i try
php_value engine off
php_value engine off
not working :(
its there any other trick
and sorry about my english language so bad :p
thanks for helping
You don't specify the full path to the file in the rewrite rule, what you are specifiying is a new absolute URL or a URI relative to the web root. So if you want to make any URI go to a PHP file of teh same name, here is how you would do it:
RewriteEngine On
RewriteRule ^(.*) /$1.php [L]
No need to specify /home/myhome/public_html here.
This is a basic example however, as typically, this is much too broad of a rule, as it would prevent you from serving up images or other actual files from the web root (they would all end up with .php appended to the. So assuming this is actually what you want, you would commonly see something like:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) /$1.php [L]
This rule applies in cases when the URI does not match an actual filename or directory. Thus requests to /some_file.php would not be redirected to /some_file.php.php.
You can configure your webserver to show the source for *.phps files (e.g. make symlinks) with:
AddType application/x-httpd-php-source .phps
Or to disable PHP processing for that directory completely use:
RemoveHandler .php
RemoveType .php
Alternatively or additionally with:
php_flag engine off
On some setups (cgi / fastcgi) even:
Options -ExecCGI
If you wanna use mod_rewrite, then write a wrapper script for displaying them via readfile() (and some basename() filtering for security) and apply it like:
RewriteRule ^(.+\.php)$ showsrc.php?file=$1
What handles the disabling of the extension? Is it APACHE or the PHP install? How would one go about configuring the web server where the .php extension is not required? Is there an option that would make both www.example.com/page.php and www.example.com/page work as the URL?
It's URL rewriting through Apache:
http://www.addedbytes.com/apache/url-rewriting-for-beginners/
Apache also has a setting called MultiViews that will serve domain.com/index.* as domain.com/index, domain.com/example.* as domain.com/example, etc.
I've occasionally run into issues where MultiViews beats out mod_rewrite rules, so I tend to turn it off.
Check out some articles from A List Apart on this topic: You use Apache (in your case) to setup ReWriteRule's and then you have PHP parse the url to fetch the correct information. (again, in your case. You can do this with many languages and http servers)
http://www.alistapart.com/articles/succeed/
http://www.alistapart.com/articles/urls/
brianreavis is correct. Here's an example for your .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
I just throw it all at PHP and parse it however I want in there:
.htaccess
RewriteEngine On
RewriteRule !\.(js|ico|gif|jpg|png|css)$ #frontend.php
I use this in my .htaccess
<Files ~ "^[^.]+$">
ForceType application/x-httpd-php5
</Files>
That way I can remove all extensions (.php) from my files, and it will still work.
I use $_SERVER['PATH_INFO'] to retrieve the remainder of the path as parameters. E.g. /page/param1/param2 where page is an actual php file.