<object id="xwuag"></object>
      1. <tbody id="xwuag"><pre id="xwuag"><video id="xwuag"></video></pre></tbody>
        <progress id="xwuag"></progress>

        <nav id="xwuag"><big id="xwuag"><rt id="xwuag"></rt></big></nav>
        <em id="xwuag"></em>

        <nav id="xwuag"></nav><rp id="xwuag"></rp>
        <li id="xwuag"></li>
      2. <rp id="xwuag"></rp>
        <s id="xwuag"></s><th id="xwuag"><pre id="xwuag"><video id="xwuag"></video></pre></th>
      3. <nav id="xwuag"><center id="xwuag"></center></nav>
          <dd id="xwuag"><big id="xwuag"></big></dd>

          隐藏 PHP

          一般而言,通过隐藏的手段提高安全性被认为是作用不大的做法。但某些情况下,尽可能的多增加一份安全性都是值得的。

          一些简单的方法可以帮助隐藏 PHP,这样做可以提高攻击者发现系统弱点的难度。在 php.ini 文件里设置 expose_php = off ,可以减少他们能获得的有用信息。

          另一个策略就是让 web 服务器用 PHP 解析不同扩展名。无论是通过 .htaccess 文件还是 Apache 的配置文件,都可以设置能误导攻击者的文件扩展名:

          Example #1 把 PHP 隐藏为另一种语言

          # 使PHP看上去像其它的编程语言
          AddType application/x-httpd-php .asp .py .pl
          或者干脆彻底隐藏它:

          Example #2 使用未知的扩展名作为 PHP 的扩展名

          # 使 PHP 看上去像未知的文件类型
          AddType application/x-httpd-php .bop .foo .133t
          或者把它隐藏为 HTML 页面,这样所有的 HTML 文件都会通过 PHP 引擎,会为服务器增加一些负担:

          Example #3 用 HTML 做 PHP 的文件后缀

          # 使 PHP 代码看上去像 HTML 页面
          AddType application/x-httpd-php .htm .html
          要让此方法生效,必须把 PHP 文件的扩展名改为以上的扩展名。这样就通过隐藏来提高了安全性,虽然防御能力很低而且有些缺点。
          add a note add a note

          User Contributed Notes 25 notes

          up
          25
          rustamabd at google mail
          12 years ago
          So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase.

          .htaccess:

          RewriteEngine on

          # Rewrite /foo/bar to /foo/bar.php
          RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]

          # Return 404 if original request is /foo/bar.php
          RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
          RewriteRule .* - [L,R=404]

          # NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
          # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]
          up
          14
          m1tk4 at hotmail dot com
          16 years ago
          I usually do:

          <code>
          RewriteEngine on<br>
          RewriteOptions inherit<br>
          RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br>
          </code>

          in .htaccess. You'll need mod_rewrite installed for this .
          up
          18
          marpetr at NOSPAM dot gmail dot com
          13 years ago
          I think the best way to hide PHP on Apache and Apache itself is this:

          httpd.conf
          -------------
          # ...
          # Minimize 'Server' header information
          ServerTokens Prod
          # Disable server signature on server generated pages
          ServerSignature Off
          # ...
          # Set default file type to PHP
          DefaultType application/x-httpd-php
          # ...

          php.ini
          ------------
          ; ...
          expose_php = Off
          ; ...

          Now the URLs will look like this:
          http://my.server.com/forums/post?forumid=15

          Now hacker knows only that you are using Apache.
          up
          12
          CD001
          8 years ago
          It's a good idea to "hide" PHP anyway so you can write a RESTful web application.

          Using Apache Mod Rewrite:

          RewriteEngine On
          RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2

          You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.

          <?php
          function myGET() {
           
          $aGet = array();

            if(isset(
          $_GET['query'])) {
             
          $aGet = explode('/', $_GET['query']);
            }

            return
          $aGet;
          }
          ?>

          This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.
          up
          8
          l0rdphi1 at liquefyr dot com
          15 years ago
          More fun includes files without file extensions.

          Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set.

          Oh yea, it gets even better when you play with stuff like the following:

          <?php
          substr
          ($_SERVER['PATH_INFO'],1);
          ?>

          e.g. www.example.com/somepage/55

          And:

          <?php
          foreach ( explode('/',$_SERVER['PATH_INFO']) as $pair ) {
              list(
          $key,$value) = split('=',$pair,2);
             
          $param[$key] = stripslashes($value);
          }
          ?>

          e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc

          Enjoy =)
          up
          9
          anon at example dot com
          5 years ago
          The session name defaults to PHPSESSID.  This is used as the name of the session cookie that is sent to the user's web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77).

          To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start().  Example:

          session_name("id");
          session_start();

          Cheers.
          up
          7
          info at frinteractives dot com
          3 years ago
          try this
          RewriteEngine On

          # Unless directory, remove trailing slash
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule ^([^/]+)/$ http://example.com/folder/$1 [R=301,L]

          # Redirect external .php requests to extensionless url
          RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
          RewriteRule ^(.+)\.php$ http://example.com/folder/$1 [R=301,L]

          # Resolve .php file for extensionless php urls
          RewriteRule ^([^/.]+)$ $1.php [L]
          up
          9
          mmj
          15 years ago
          You can see if somebody's using PHP just by adding the following to the end of the URL:
          ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
          If the page is using PHP, this will show the PHP credits.

          Setting expose_php to Off in php.ini prevents this.
          up
          6
          Anonymous
          16 years ago
          PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you.  The problem is that safe-mode forces Apache to honor trailing characters in a requested URL.  This means that:

          http://www.example.com/home

          would still be processed by the home script in our doc root, but for:

          http://www.example.com/home/contact_us.html

          apache would actually look for the /home/contact_us.html file in our doc root.

          The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host.  So, for a virtual host listening on port 8080, the apache directives would look like this:

          <VirtualHost *:8080>
              DocumentRoot /web/doc_root
              Alias /home "/web/doc_root/home.php"
              AcceptPathInfo On
          </VirtualHost>

          Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off.  The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host.  This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.
          up
          6
          sandaimespaceman at gmail dot com
          10 years ago
          Set INI directive "expose_php" to "off" will also help.
          You can spoof your PHP to ASP.NET by using:
          <?php
          error_reporting
          (0);
          header("X-Powered-By: ASP.NET");
          ?>
          up
          5
          ldemailly at qualysNOSPAM dot com
          15 years ago
          adding MultiViews to your apache Options config
          lets you hide/omit .php in the url without any rewriting, etc...
          up
          5
          yasuo_ohgaki at yahoo dot com
          17 years ago
          To hide PHP, you need following php.ini settings

          expose_php=Off
          display_errors=Off

          and in httpd.conf

          ServerSignature Off
          (min works, but I prefer off)
          up
          4
          istvan dot takacsNOSPAM at hungax dot com
          17 years ago
          And use the
          ServerTokens min
          directive in your httpd.conf to hide installed PHP modules in apache.
          up
          3
          Bryce Nesbitt at Obviously.COM
          16 years ago
          Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension:

          (1) Don't hard code file types at all.  Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format:
               www.xxxxxx.com/page
              www.xxxxxx.com/directory/
          This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type.

          (2) In an Apache .htaccess file use:
              RewriteEngine on
              RewriteRule page.html page.php

          (3) Force the webserver to interpret ALL .html files as .php:
              AddType application/x-httpd-php .php3 .php .html
          up
          3
          sth at panix dot com
          16 years ago
          The flipside to this is, if you're running a version of
          PHP/Apache which is not known to have exploitable bugs (usually the latest stable version at the time), and an attacker sees this, they may give up before even trying. If they don't, they may continue to attempt their exploit(s).

          It really depends on the type of attacker. The educated, security advisory reading attacker vs. script kiddie on the street.

          If you're keeping up on patches, version exposition should not be a problem for you.
          up
          4
          simon at carbontwelevedesign dot co dot uk
          12 years ago
          I use the following in the .htaccess document

          <IfModule mod_rewrite.c>
          RewriteEngine On
          RewriteBase /
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /index.php [L]
          </IfModule>

          then the following simple code

          <?php

          $permalinks
          = explode("/",$_SERVER['REQUEST_URI']);

          $varone = $permalinks[1];
          $vartwo = $permalinks[2];

          ...

          ?>
          up
          3
          jtw90210
          13 years ago
          In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf.

          AddType application/x-httpd-php .php .html
          AcceptPathInfo On

          Try it out with your phpinfo page and you'll be able to search for PATH_INFO.

          http://example.com/myphpinfo.php/showmetheway

          If you want to drop the .php use one or both of these:
          DefaultType application/x-httpd-php
          ForceType application/x-httpd-php
          up
          3
          Pyornide
          10 years ago
          The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.
          up
          3
          Anonymous
          15 years ago
          Keep in mind, if your really freaked out over hiding PHP, GD will expose you.

          Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.
          up
          3
          php at user dot net
          15 years ago
          What about this in a .htaccess file :

          RewriteEngine on
          RewriteRule    ^$    /index.php    [L]
          RewriteRule    ^([a-zA-Z0-9\-\_/]*)/$    /$1/index.php    [L]
          RewriteRule    ^([a-zA-Z0-9\-\_/]*)\.(html|htm)$    /$1.php    [L]
          RewriteRule    ^([a-zA-Z0-9\-\_/]*)$    /$1.php    [L]

          Typing "sub.domain.foo/anything" loads "/anything/index.php" if 'anything' is a directory, else it loads "/anything.php".

          I'm sure you can find mutch better, but it works great on my site :)
          国产成人午夜福利r在线观看_欧美性受xxxx孕妇_白丝娇喘过膝袜爽短裙调教_jizz jizz xxxx