Page 2 of 2
Posted: Wed Sep 05, 2007 4:26 pm
by RobertGonzalez
When you have the .phps exposure on, the .php file shows its own source when you call the file as .phps. There is not placement of a .phps file on the server, the server looks for the corresponding .php file and shows its source. How is that not a security risk?
Posted: Wed Sep 05, 2007 4:55 pm
by VladSun
???
It's up to the developer to decide whether he will or will NOT save it as .phps! So the security risk is the developer himself

Posted: Wed Sep 05, 2007 5:14 pm
by RobertGonzalez
Wrong, it is an extension in PHP that does not require a .phps file.
Posted: Wed Sep 05, 2007 5:19 pm
by VladSun
Last post ...
Everah ... turning this Apache directive on or off has absolutely nothing to do with security, point.
Posted: Wed Sep 05, 2007 5:21 pm
by RobertGonzalez
Last Post...
Believe what you will. Just try not to take others down with you.
Posted: Wed Sep 05, 2007 9:31 pm
by tecktalkcm0391
Everah wrote:Last Post...
Believe what you will. Just try not to take others down with you.
First of all... who is more creditable:
Everah with 11186 posts (at time of this post)
-or-
VladSun with 416 posts (at time of this post)
.... and I agree... the server will look for .php files if a .phps file exists.
Posted: Wed Sep 05, 2007 9:55 pm
by playgames
something remember.
if you has "<?" type in your html file
while you change .html to .php.
it can't work
else you'd close the php.ini:short_tags:
Posted: Thu Sep 06, 2007 12:41 am
by RobertGonzalez
playgames wrote:something remember.
if you has "<?" type in your html file
while you change .html to .php.
it can't work
else you'd close the php.ini:short_tags:
Huh?

Posted: Thu Sep 06, 2007 5:04 am
by VladSun
tecktalkcm0391 wrote:Everah wrote:Last Post...
Believe what you will. Just try not to take others down with you.
First of all... who is more creditable:
Everah with 11186 posts (at time of this post)
-or-
VladSun with 416 posts (at time of this post)
Look at linux-bg.org forums - I have 1000+ posts, Everah has 0 - does it mean Everah has absolutely no knowledge of Linux?!?
tecktalkcm0391 wrote:.... and I agree... the server will look for .php files if a .phps file exists.
Gosh!
Make a google search on "secure Apache PHP installation" ... Don't be surprised if nobody cares about your imaginable *.phps security issues

Posted: Thu Sep 06, 2007 6:01 am
by CoderGoblin
Rather than get into a "Who knows best" situation, surely it just makes sense that if you don't need an apache setting you don't set it as you never know when your code/application will be needed in a different environment. highlight_file() will suffice if required in the majority of instances. I would question when you would need to show server php code anyway outside of something like PHPDocumentor. This uses highlight_file unless I am very much mistaken and should never be accessible to everyone without some method of protection via password or behind a firewall.
The number of posts is not a valid quantifier of how much someone knows but we must all be open to new ideas. There isn't many days I look on these forums and don't learn something even if I have posted over a thousand replies to people and I am pleased by this. Using these forums allows me to help other and to be helped at the same time.
Posted: Thu Sep 06, 2007 10:43 am
by RobertGonzalez
I believe I may have to humble myself. I had set phps at one point to display the source of PHP files on a server. I believe I am wrong in this thread in that from my current tests, phps extensioned filed seem to be necessary on a plain jane setup of PHP on Apache. So in essence, in order to parse the source of a .php file you would need to not only have the phps file extension parser directive set in the httpd.conf file, you would also have to literally save the same .php file to the server with a .phps extension.
I apologize for giving inaccurate information. SuperD, thanks for getting my back, but I do believe in this instance I may be wrong as it relates to my current arguments in this thread.
Posted: Thu Sep 06, 2007 11:58 am
by VladSun
@Everah
Never mind!
I'm sure you've been and you will be helpful enough for a lot of people here. That's the most important thing, right?

Posted: Thu Sep 06, 2007 12:04 pm
by RobertGonzalez
Hey, it's all good. I've been wrong before. I am certain that I will be wrong again. Probably today.

Posted: Thu Sep 06, 2007 12:21 pm
by asif_phpdn
convert html to php. but this converting something like simple to complex, happy to sorry, ........
