htm Extension

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Can I configure Apache to recognize PHP Code in a page with an .htm
extension?  If so, how do I do it?



Re: htm Extension

Be careful when you make a change like that. When you suddenly make
non-executable files executable, you could introduce very serious

For example, say you have log analyser that produces .htm files. In the
reports, the names of the browsers are listed. If the analyser doesn't
properly escape the user-agent field, then an attacker can inject PHP
code into your site.

Re: htm Extension

I agree with Chung, this is a rather non-standard and risky kind of
change to make. Be sure to review your alternatives before choosing
this action.


Re: htm Extension

Could you elaborate on that? How would a person be able to inject code
of an improperly escaped field?

And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?

Or for that matter, would a .php file be immune from this exploit?

Re: htm Extension

Quoted text here. Click to load it

These vunrubilities do exist however it is a little different because
you are adding a scripting language to a filetype that is not ment to
have a scripted language and is not default behavior.

However, most clients should always make sure to escape a field but here
is the problem.

Someone sends there user agent as: <?php echo('hi); ?> (would most
likely be worse) and then all of a sudden for your useragent in a log
writer could show that.  Now when that is parsed through php, obviously
you are going to get "hi".

Now when the useragent is used in php you can not execute anything
because you are either parsing the value from the database or just using
the $_SERVER variable to retrieve the string.  Now I say string because
all PHP things of it is that it is a string.

I hope that helps and clarifies things a bit.


Re: htm Extension

Bruce A. Julseth wrote:

Quoted text here. Click to load it

..htaccess file (in the directory where you want to enable it) should
contain the following:

AddType application/x-httpd-php .htm

No need to do it for the sub-directories, it's recursive.

Justin Koivisto -

Re: htm Extension

Quoted text here. Click to load it

Thanks for the help.. I guess I'll remain using PHP as my extension.

Thanks again..

Site Timeline