Is there a problem if I leave a php file containing only HTML code?

Asked

Viewed 367 times

2

I have a php file on my site that serves as a template for a single page of the site, within that file there is only HTML code, there is no php tag <?php ?>, or nothing. It’s like an html file, but with the . php extension

My question is this: If I leave the file as it is, I will leave the site vulnerable to attacks?

  • 4

    won’t be more vulnerable or less ... but if you don’t have php leave as html extension even

  • Is this template part of any PHP layout composing system? Do you ever use PHP to load the template? I did not understand the PHP tag if it is not doubt with the language...

7 answers

7

This in itself does not leave you vulnerable, but if it is a static file you can leave it static, it only makes sense to leave PHP together with HTML when you need to render HTML on the server. Serving the file as static also avoids unnecessary PHP engine call for script interpretation.

  • It would actually be interpretation. Rendering by rendering the browser itself already does this with HTML. The main point, as stated by @Trxplz0 is exactly how much not to force the file to be read and interpreted in search of anything.

  • @Brunoaugusto whenever we add a php file it goes through a process of "interpreting" the script this is a fact. But the issue is php along with HTML that only makes sense how much you need to render HTML, if HTML is static "no need to go through any rendering"

  • I know that much. I just made it clear that the problem of having a PHP file without any PHP routine inside infers performance problem by requiring from the server an unnecessary interpretation of it. Of course HTML is also interpreted, but not by the server.

  • 1

    @Brunoaugusto I added the comment on the interpretation of the script :)

3

Just to add: What makes you vulnerable or not are your server’s security settings and not if the file extension is. html or .php. The problem would be for you to run a. php with malicious code.

Hugs!

  • Dei UPVOTE, but I will do 2 OBS... 1. Omitting the file extension is also a security issue. 2. No use your server being safe if you do not handle incoming information - Sqlinjection, XSS and so on

  • Right! Hug!

3

Rename to . html preventing PHP from starting the parse process!

As for security, no, because as you said yourself there is no PHP code, vulnerable or not!

1

There are two factors that implicate this question:

1) The site following a programming standardization, it is good to follow the extension .php.

2) The page and/or site may be vulnerable even with or without the extension .php this does not interfere with security, but rather how it goes to the user screen, if for example it has malicious code it will be vulnerable, because the server sends you output (output) .html.

Own experience, if it is PHP follow the same extension for all pages.

1

No no, if that’s the case and no problems (fast server) can leave with the extension php, ai being passed the parse php to verify the existence of some php tag.

  • 2

    Can you elaborate on the "if that’s the case and you don’t have any problems"? I think that’s exactly the part the questioner wants to know.

0

If the file only contains the template, without any associated password, there is no vulnerability, because a file without confidential data and that does not have write permission in the same and/or directory is like an image or something like that. If you want to protect the directory to be accessed only by the site, just set this rule on .htaccess in the briefcase.

http://httpd.apache.org/docs/2.2/pt-br/howto/htaccess.html

PHP is configured within application/x-httpd-php can be executed with virtually any extension. What could put at risk would be if this configuration does not accept PHP within HTML and puts the PHP code in it, ai yes could display a password or some relevant data, but pure HTML there is no risk.

  • Pure HTML is understood without any other language (PHP/ASP/JSP and the like).

0

The vulnerability of an HTML file is the same as in a PHP file.

In your case, you are dealing with "non-confidential" information, which could be viewed for "source code view". (i.e., the issue of vulnerability is irrelevant)

Your concern about vulnerability should only be with: how strong your passwords are and what level of server security the site is hosted on.

Other than that, don’t worry about the file extension.

  • Your answer is completely wrong... Vulnerability goes very³³³ plus strong or weak password...

Browser other questions tagged

You are not signed in. Login or sign up in order to post.