In general, security by obscurity is one of the weakest forms of security.
But in some cases, every little bit of extra security is desirable.
A few simple techniques can help to hide PHP, possibly slowing
down an attacker who is attempting to discover weaknesses in your
system. By setting expose_php = off in your php.ini file, you
reduce the amount of information available to them.
Another tactic is to configure web servers such as apache to
parse different filetypes through PHP, either with an .htaccess
directive, or in the apache configuration file itself. You can
then use misleading file extensions:
例子 16-18. 将 PHP 隐藏为另一种语言 # Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl |
|
或者完全地隐藏:
例子 16-19. 对 PHP 使用未知扩展名 # Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t |
|
Or hide it as html code, which has a slight performance hit because
all html will be parsed through the PHP engine:
例子 16-20. 对 PHP 使用 HTML 扩展名 # Make all PHP code look like html
AddType application/x-httpd-php .htm .html |
|
For this to work effectively, you must rename your PHP files with
the above extensions. While it is a form of security through
obscurity, it's a minor preventative measure with few drawbacks.