No need to use .PHP ?

[jimoblak]

I just discovered that my server allows me to leave out '.php' in the URL. It processes

http://www.mydomain.com/display?page=exit

the same at it would

http://www.mydomain.com/display.php?page=exit

. Is this normal for PHP&Apache? Is there a specific server setting that allows this? Would designing a site without PHP file extensions cause any problems for crawlers/robots?

This may be a nice way to keep your users guessing what is powering your web site.

 

[sleipnir214]

If you are running PHP as an Apache module, this would have been expected behavior. It is the &quot;<?php...?>&quot; tags which turn the parser on or off.

But no, this won't keep people guessing -- Apache and PHP identify themselves fully in the HTTP headers they return.

For example, if I open a telnet session on port 80 to

http://www.mydomain.com

and enter the following:

GET / HTTP/1.1[enter]
Host: www.mydomain.com[enter]
[enter]
[enter]

Then Apache returns the following headers:

HTTP/1.1 200 OK
Date: Fri, 24 Jan 2003 15:20:47 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.2.3
X-Powered-By: PHP/4.2.3
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[rycamor]

Actually, this is expected behavior for Apache, if you have a certain module installed. (I believe this is mod_negotiation, or maybe it is mod_vhost_alias, but I can't remember). It allows you to leave out the extension while requesting any file, as long as there aren't two files with the same prefix in that directory.

It can be a useful thing to have, if you want search-engine-friendly URLs. Your file can masquerade as a directory, even having additional path info behind it, since PHP handles path info as part of the request.

Thus,

http://www.hostname.com/myfile.php

can become

http://www.hostname.com/myfile/otherinfo/and_more_info,

or even

http://www.hostname.com/myfile/otherinfo/and_more_info/?var=value&var=value.

Then, all you would have to do is explode the additional $PATH_INFO string into tokens and use them however you want, as well as your regular querystring variables.

By the way, Sleipnir, it is also possible to mask any of the other info in the server response string, if you really want to. You can make people think you are running IIS with JSP on a Solaris machine, or any crazy combo you want to make up. Obviously, for the truly sophisticated, there are other methods of determining the remote OS, such as TCP/IP fingerprinting, etc... but the standart text response stuff is really in your hands, if you want. -------------------------------------------

PHP/Perl/SQL/Javascript --

http://brainscraps.com/resume/

 

[BB101]

I know you can use querystring on folder requests and it'll go to the default document, i.e:

http://myserve/somefolder?get=var

will execute index.php (if that is your default doc) --BB

 

[sleipnir214]

rycamor:

With the right software installed, I can keep TCP/IP fingerprinting from working against my system, too. That doesn't mean that a sufficient number of people have done it to make system fingerprinting useless. Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[rycamor]

>With the right software installed, I can keep TCP/IP fingerprinting from working against my system, too. That doesn't mean that a sufficient number of people have done it to make system fingerprinting useless.

Oh, of course. My point was simply that the basic HTTP server response string is easy to modify, without any special software. And even if you don't want to modify that, you can at least prevent PHP from showing up simply by setting &quot;expose_php = Off&quot; in php.ini. -------------------------------------------

My PostgreSQL FAQ --

http://brainscraps.com/faq/pg_my.html

 

[rycamor]

Oh, by the way, I just remembered which Apache module deals with the behavior jimoblak mentioned: mod_negotiation. And in the httpd.conf, you need to have &quot;MultiViews&quot; among the Options directives.

Good thing to remember, for some fun PHP programming ;-). -------------------------------------------

My PostgreSQL FAQ --

http://brainscraps.com/faq/pg_my.html