Hiding PHP file extension

Posted on January 1, 2008 
Filed Under htaccess, php

Do you want to hide your web site’s server script identity ? If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.

Here is a small technique for you, you can use .html or .asp file to work as a php file i.e. use .asp or .html extension instead of .php. You just need to create a .htaccess file and put the following code in the .htaccess file. Remember that the .htaccess file should be placed in the root folder of your website.

# Make PHP code look like asp or perl code
AddType application/x-httpd-php .asp .pl

if you place the the above code in the .htaccess file then you can use contact.asp as the name of the file. Now a visitor thought that it is a ASP file but this file contains the codes of PHP.

You can put the following code in .htaccess file to work .htm or .html file as PHP file.

# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html

3M0-600 certification exams are very important for IT professional for getting more updated skills. 4H0-028, Hyperion Certified Professional - System 9 Planning 4.1 exams are very significant exams for becoming more professionals in the field of technology. 50-686, certification exams are very assistive to give full training to IT professionals. 640-802 is also known as CCNA, very significant exams for Cisco networking administrators. 640-863 certification exams provide very exact solutions of Cisco networking in the most effective manner. 3Com Certified IP Telephony NBX Expert Final Exam V3.0 is also known as 3M0-701 which provides authentic knowledge for operating IP telephony networks. 310-203, Sun Certified System Administrator for the Solaris 10 Operating System is designed to improve the professional talents of the individuals for operating system efficiently.

Popularity: 32% [?]

Enter your email address and get recent tutorials, tips, tricks and scripts of PHP, Ajax, JavaScript and CSS directly delivered to you email inbox:

Follow me on twitter at http://twitter.com/roshanbh.

Related Posts

» Hide .php extension with url rewriting using .htaccess
» Getting filename and extension in PHP using explode() ,basename() and pathinfo()
» Custom Error Page with .htaccess
» Useful flash Components for your website

Comments

26 Responses to “Hiding PHP file extension”

  1. Hiding PHP file extension- make .html or .asp extension of php file on January 7th, 2008 5:40 am

    [...] Do you want to hide your web site’s server script identity ? If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.rnClick here to Read More [...]

  2. Ryan on January 8th, 2008 9:43 pm

    Thanks for sharing this technique. I kinda feel like a traitor for not standing up and defending PHP and open source constantly, but yes, there are some business people that still think traditional open source web sites (.php, perl, python), are somehow inferior to .aspx, .cfm and even .jsp sites. (I’m not talking here about [overtly] deceiving the client, or telling them they have a ASP.NET site when its a PHP site. However, if one of these (IMHO) “stuck up”, opinionated, and money wasting customers want to believe that a site is .aspx (when it’s really .php), then he has really deceived himself.

    Thanks for sharing this technique. I’ll try not to abuse it. :)

  3. Wscoop on January 10th, 2008 5:13 am

    Story added…

    Your story was featured in Wscoop! Here is the link to vote it up and promote it: http://www.wscoop.com/Security/Hiding-PHP-file-extension...

  4. Sonny on January 10th, 2008 8:09 am

    nice trick, I heard about this a while ago…but I like your presentation (simple)

  5. Rob Desbois on January 10th, 2008 10:25 am

    “If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.”

    Obscurity is *not* a security measure; just making it not immediately obvious what language you’re coding in server-side doesn’t prevent any sort of code injection. Code injection is prevented by cleaning user input before passing it to functions like eval() whch can execute arbitrary code.

    A nice technique worth sharing - but IMHO rather than making one extension behave like another it’s better to use mod_rewrite or an equivalent. Then you can have e.g. http://www.example.com/show_users map to file /show_users.php

  6. Jasper on January 10th, 2008 10:28 am

    I think it looks a lot cleaner to come up with a nice mod rewrite system that completely removes file extensions and interprets the query string. looks a lot neater.

  7. roshanbh on January 10th, 2008 11:35 am

    Rob and Jasper i agree with you that with mod_rewrite you can do it in a better way and if your good in regular expression then that is the best way, but it’s a bit tedious for the beginners to write the regular expression in .htaccess.

  8. Aidan Samuel on January 10th, 2008 3:28 pm

    You may be hiding the extension, but you’re still sending out “X-Powered-By: PHP/4.4.6″ in the headers.

    ;-)

  9. Gavin Terrill on January 10th, 2008 5:42 pm

    I had problems getting “AddType” to work on a netnation hosted site. Turns out using “AddHandler” did the trick: http://fishdujour.typepad.com/blog/2007/08/htaccess-settin.html

  10. Leslie Hoare on January 13th, 2008 6:18 am

    A better way is to show no extension at all, you can do that with this line:

    Options +MultiViews

    That’ll make any file type (like .html, .jpg, etc) visible without a file extension too. And it’ll make it easier if you decide later on to switch scripting languages, say to Ruby or Java :)

  11. roshanbh on January 13th, 2008 10:50 am

    yes Leslie you can hide the extension with Options +MultiViews but you cannot the change its extension like .asp or .html with that.

  12. will on January 15th, 2008 3:01 pm

    in response to Aidan Samuel:
    you can change the X-Powered-By with a couple tweaks to your php.ini and apache configurations.

    the best use (in my opinion of hiding php), is to make a director where i will generate CSS or Javascript, and have an .htaccess with: “AddType application/x-httpd-php .css” in it. it can also be used to generate graphs or captchta images. i can then transparently generate javascript or css on-the-fly.

  13. Michelle Marsh on January 23rd, 2008 11:22 am

    Hello webmaster…Thanks for the nice read, keep up the interesting posts..what a nice Wednesday . Michelle Marsh

  14. beauty on January 25th, 2008 4:12 pm

    Hello webmaster Thanks. It is very infortant topic that u have given the following. it is a useful topic.

  15. Asp.net Ajax on January 27th, 2008 2:29 pm

    I gather always different opinions about web 2.0 and how to market with the different mindset of the \”new\” Internet. Will social interaction and networking really make the web different? Thanks for your thoughts on this!

  16. Payday Loan on January 29th, 2008 3:05 pm

    Good observers will cherish this research respecting meanwhile many folks done remarked that the text is exceptional! I appreciate all the info you gave.

  17. Benji Madden on February 1st, 2008 7:58 pm

    Hi…Thanks for the nice read, keep up the interesting posts..what a nice Friday

  18. Doodee on February 4th, 2008 12:20 am

    Thanks for sharing

  19. Reza on February 10th, 2008 10:43 pm

    How to hide the script of GET. like index.php?id=share

  20. Roshan on February 11th, 2008 4:31 am

    well you can user POST or SESSION variable if you want to hide the GET variables and even you can use apache’s mod_rewrite module for rewriting the url.So there are lots of option according to your need

  21. Hide .php extension with url rewriting using .htaccess on February 13th, 2008 12:12 pm

    [...] time I’ve written an article about hiding php file extension where I’ve showed you how you can use .html or .asp extension of file instead of .php [...]

  22. Top php-Ajax Resource» Blog Archive » Hide .php extension with url rewriting using .htaccess on February 24th, 2008 11:17 am

    [...] time I’ve written an article about hiding php file extension where I’ve showed you how you can use .html or .asp extension of file instead of .php extension. [...]

  23. Nick on March 7th, 2008 2:37 pm

    Hi,

    I have written a script that basicly creates an image for use in forum signatures, which dynamically updates with stats from database every time it is called, the image works fine and everything, my problem is that the image has an extension of .php and some forums will only allow .jpg or .gif as a file extension in signatures, is there any way I can get apache and php to read just this one file as a php script if I change it to .jpg extension, I have tried the method above using .htaccess, it doesn’t seem to work.

  24. sahil on June 13th, 2008 2:36 pm

    hi,
    i used your code but this is not working in my ssh server.could you tell me the best option so that i can see my php page like asp or pearl or html.
    thank

  25. Roshan on June 14th, 2008 7:00 am

    Is .htaccess overriding is allowed in your server.I think .htaccess is not making effect please consult with your server administrator , I don’t think there is problem in the code

  26. Forummekan.org on July 28th, 2008 9:35 pm

    Thanks….:)

Leave a Reply