Should I change my web page extensions?

[mikesmith76]

Can we just clear one thing up. Are you talking about parsing .html documents to run php in them? Or are you taking about using mod_rewrite to rewrite page parameters into a static url?

In the case of the former still cannot see any benefit from doing it, just a false sense of security imho. As for the mod_rewrite solution this can be effective. As you probably know when rewiting the urls you have to write a regular expression to match the incoming data. As long as you write these rules sensibly these can block incoming attacks, as the invalid data will not be matched and thus ignored.

I still maintain my belief that just changing the page extension offers no real protection.

As for the advantages of using the .php extension over .html - there aren't any it's just the norm.

[EArmand]

I'm talking about parsing php inside of html instead of using .php file extensions.

As for the advantages of using the .php extension over .html - there aren't any it's just the norm.

Exactly - there are none, but there is a few by parsing php inside .html files and keeping a .html extension. That was my whole point.

Best regards,

[mikesmith76]

Exactly - there are none, but there is a few by parsing php inside .html files and keeping a .html extension. That was my whole point.

I'm still not sold on these "advantages" but as you said it's all probably down to personal opinion.

[EArmand]

More info on this...

www.php.net/manual/en/security.hiding.php

[mikesmith76]

Taken from the first line of your quote

In general, security by obscurity is one of the weakest forms of security

This was exactly the point i was trying to make. If you use this method as part of a whole host of other security measures then thats fine. However simply changing the page extension and calling the page secure is foolish at best. I wouldn't want business critical scripts "secured" in such a manner