Is it bad to use:
ForceType application/x-httpd-php
and to save files without a file extention (e.g. index instead of index.php)? The intention is to hide/remove .php from the URL and to stop users from manually putting e.g. /example.php.
To remove the file extension, add this to the .htaccess :
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
change .php to the proper file extension
new link :
link text
Edit :
Save your files as index.php, about.php, and so on
Yes. Yes it is bad.
The right way to do that is by using mod_rewrite and .htaccess files.
Its not good practice to change extension as it will need configuration for web server each time and so its a portability issue.
You should use .htaccess directives to setup any level of customization.
And in best practice you can route all requests to index.php to avoid direct access of php files.
Related
I am working on redesigning a website that is currently a PHP website. The new site will be all HTML. I am trying to keep all of the slugs the same. Should I set up redirects?
Currently, the website pages have the .PHP extension in the browser.
Example: https://www.dehartsystems.com/residential.php
The new page will be HTML and the URL will have no file extension.
Example: https://www.dehartsystems.com/residential
Do I need to set up redirects as the file extension will be changing?
To answer your question, yes you do need to set up redirects. Typically this is done in the .htaccess file in the root of your html folder on your server.
In this .htaccess file you put:
# Check rewriting is possible.
<IfModule mod_rewrite.c>
# Turn on Rewrite engine
RewriteEngine on
# check if file does not exist.
RewriteCond %{REQUEST_FILENAME} !-f
# check if folder does not exist.
RewriteCond %{REQUEST_FILENAME} !-d
# rewrite the given URL.
RewriteRule ^(.*).php$ $1.html [R=301,L]
</IfModule>
This will redirect any call to any .php file that does not exist to the HTML file with the same file name, in the same folder location.
Reference:
https://htaccessbook.com/add-remove-change-file-extensions-htaccess/
See also How to change the PHP file extension using .htaccess file on GoDaddy Linux Hosting?
Yes, you will need to rename every file to .HTML if you don't do so the browser won't recognize the file as code. " https://www.dehartsystems.com/residential.html " only then your website will work., i.e you should rename residential.php to residential.html
How am I able to hide a .php extension in an URL address, so that this address:
http://www.thesite.com/somefile.php
would look like:
http://www.thesite.com/somefile
without the use of the .htaccess file. The reason for that being because I have many directories and would want to hide the extension on all those files in every directory. I have tried to set expose_php to off, and this still fails with error 404.
I am using PHP 5.3.10 and Apache server.
Although you specifically said no, using the .htaccess file would remove the .php extension from all PHP files in all subdirectories in a site. I think that is what you are going for.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
</IfModule>
Putting that into the .htaccess file will remove all the .php file extensions. Or you could put it directly into the webserver's configuration files.
You can achieve this with URL rewriting. If you don't want to use .htaccess, you can write the rule in your host configuration file.
How am I able to hide a .php extension in an URL address, so that this address:
http://www.thesite.com/somefile.php
would look like:
http://www.thesite.com/somefile
without the use of the .htaccess file. The reason for that being because I have many directories and would want to hide the extension on all those files in every directory. I have tried to set expose_php to off, and this still fails with error 404.
I am using PHP 5.3.10 and Apache server.
Although you specifically said no, using the .htaccess file would remove the .php extension from all PHP files in all subdirectories in a site. I think that is what you are going for.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
</IfModule>
Putting that into the .htaccess file will remove all the .php file extensions. Or you could put it directly into the webserver's configuration files.
You can achieve this with URL rewriting. If you don't want to use .htaccess, you can write the rule in your host configuration file.
At this moment I have the following files in my directory:
index.php
about.php
help.php
I'm using these lines in .htaccess to call the files using no extension.
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
So sitename.com/index works as sitename.com/index.php
But I want to remove extensions completely. My directory would then look like this:
index
about
help
How to modify .htaccess to read some of these files as PHP and leave others untouched?
One possible solution would be to catch 404 errors.
You need to configure your web server to trigger a specific PHP page on error. That PHP page would then read the requested URL and include a file with the same name.
Here is some help to get started: onlamp.com
You probably can't do it with htaccess alone. You'll need to set your webserver to treat no-extension files as php files, and i'm not sure it can be done at all.
I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading too?
I'm thinking .htaccess but I'd need to generate one for each new subdirectory (I think), would I need to scrap my current code and use a .php file to send headers to force DL on the file instead of running?
What do you think is an easy and safe solution for this? It just uploads to a subdirectory like uploads/~foo/bar.html or something, it looks nice that way so it'd be nice if it can stay like that format.
Put this in uploads/.htaccess:
RemoveType application/x-httpd-php .php
This will work for all subfolders. Also make sure you don't parse .htaccess in the users folders. This can be done by AllowOverride None in the main server config, or it can be done by not allowing uploads of .htaccess files in the first place.
If for example these uploaded files are in the directory "uploads" and subdirectories of it:
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]