In general, security by obscurity is one of the weakest forms of security.
But in some cases, every little bit of extra security is desirable.
A few simple techniques can help to hide PHP, possibly slowing down
an attacker who is attempting to discover weaknesses in your system.
By setting expose_php to off in your php.ini file, you reduce the amount
of information available to them.
Another tactic is to configure web servers such as apache to parse different
filetypes through PHP, either with an .htaccess directive, or in the apache
configuration file itself. You can then use misleading file extensions:
Example #1 Hiding PHP as another language
# Make PHP code look like other code types.
AddType application/x-httpd-php .asp .py .plOr obscure it completely:
Example #2 Using unknown types for PHP extensions
# Make PHP code look like unknown types.
AddType application/x-httpd-php .bop .foo .133tOr hide it as HTML code, which has a slight
performance hit because all HTML will be parsed through the PHP engine:
Example #3 Using HTML types for PHP extensions
# Make all PHP code look like HTML.
AddType application/x-httpd-php .htm .htmlFor this to work effectively, you must rename
your PHP files with the above extensions. While it is a form of security through obscurity,
it's a minor preventative measure with few drawbacks.
By default, PHP is set to announce its presence whenever anyone asks - this is usually through the web server. You can turn this functionality off by editing your php.ini file, and changing "expose_php" to "Off".
If you do this, as well as using a different file extension, your use of PHP is mostly hidden. However, if your code generates any error messages, your use of PHP will become immediately obvious. To get around this, and thereby truly hiding PHP, you should force PHP not to display error messages - edit your php.ini file and set "display_errors" to "Off".
This will make debugging a little harder, but be sure to set "log_errors" to "On" - this will make sure that whenever your script generates an error, it will be stored away in the error log file so that you can analyse the problem.
|
