php or html?

zoobie

I think I read somewhere that renaming my .html page's extension to .php is more efficient, displays quicker, and less drain on the server...Is this true and should I do this?
Thanks :p

Ravenous

Just renaming will not be more efficient. HTML is rendered by the visitor's browser. PHP must be parsed by the server first, thus making the total display time a little bit slower. The difference is negligable (sp?), but it is there nonetheless.

So no, renaming your pages with a PHP extension will not make anything more efficient.

Although, I could be wrong.. 😃

lanjoky

Yes Ravenous is correct.... In renaming ur html docs to php docs or visa versa you will not see any quicker or slower load times.

Mordecai

Actually, it'll run an extremely little amount slower when renaming it .php. By naming it a .php, it is going to be scanned by PHP's engine, and then sent to the user. If it's .html, it'll just be sent out to the user. PHP's scanning is fast, but it's not infinately fast.

planetsim

Actually if you change the extention from .php to be parsed with .html

You will not notice any difference.

dartcol

Rather than starting a new thread I thought I should continue this one as it's relevant.

Okay, so .php files will load a tiny bit slower than .html files but the difference is negligible. Got it.

What about security? I've read in a couple of places (can't remember the urls as it was general browsing 🙂) that embedding php in a .html page can be a security risk as should the page load incorrectly (as a result of the server not working properly or such like) the php can be displayed on the page.

Obviously, passwords and other confidential data shouldn't be stored in the file itself but what if it's been included in a .php file. Doesn't this information from the .php include get displayed too? In which case, passwords etc could be displayed on the page.

Maybe I'm talking paranoid delusions here but I thought if I should ask anywhere then here's the best place due to the fact there are more people here using php on a daily basis than anywhere else I've found.

zoobie

I don't think browsers can see/display php unless it's actually echoed/printed. Otherwise, everyone would see all the scripts being run. Maybe if there was a server error, they might see...but that's once in a blue moon.

Ravenous

If you've got a page with a .html extension, don't put any PHP in there at all. The page won't be parsed by PHP so what's the point? It won't do anything for ya'.

dartcol

The site I admin has about 130 .html pages. Rather than break cached links by changing the extension to a .php I use a .htaccess file to put .html through the php parser allowing me to keep the .html tag but also use php within the pages. Sounded a sensible compromise to me rather than change every entension. However, if it's a security risk then I guess I need to get them changed.

Someone else said to me that search engines look for .html files the most. I'm off to take a look now at how search engines decide which pages to gather now but in the meantime, if anyone knows anything about this then I'd be grateful for any hints.

zoobie

I'll save you the trip...Search engines treat all page extensions the same. If they didn't, do you think everyone would be scrambling to change the page extensions to the preferred .zzz? 😃

Weedpacket

Originally posted by dartcol
What about security? I've read in a couple of places (can't remember the urls as it was general browsing 🙂) that embedding php in a .html page can be a security risk as should the page load incorrectly (as a result of the server not working properly or such like) the php can be displayed on the page.

Nyet(ish). If the .html page is being treated as .php, then PHP would have parsed the PHP, so the server would only be sending out the resulting .html - exactly as if the file was named .php in the first place. Of course, if there's PHP code in the .html file and the file is only being treated as an ordinary HTML file would be, then all the PHP code would of course be served up to the browser - to the great amusement of visitors - because PHP was never asked to have a look at it. If the server for some reason fails to take that configuration instruction into account then that could cause trouble; but then, the same sort of failure could see .php files being served up as plain HTML anyway.

As for search engines, they're probably more wary of indexing pages with querystring attachments. But URL rewriting can fix that, too.

codeDV

I have witnessed occasions while browsing the web where by a PHP or ASP page has been passed incorrectly. There could be any number of resons for this but it can sometimes result in server side code being sent to the web browser.

With regards to passwords it would not be a good idea to put them in a PHP script. It would be better to store them in a file or an include which is above the server root. Then in the unlikely event of a user seeing your code, all they will see is a reference to the included file. As this file is above the sever root the web server will deny access to it.

You can also configure the .htaccess files in other directories to prevent public viewing of their contents.

Heres an example for a PHP file on the root directory of the web server:

<?php
  include ("../includes/passwords.php");

?>

or:

<?php
  include ("includes/passwords.php");

?>

superwormy

Some points to add / correct...

The only thing file extensions are used for is so that the webserver knows what to do with the file BEFORE it is sent to the user.

If it sees .txt, it knows to send a Content-type: text/plain header. If it sees .html, it sends Content-type: text/html.

Now, you can tell Apache to do other things too, for instance, when you install PHP, it adds this line to your httpd.conf file:

AddType application/x-httpd-php .php

This simply tells Apache to hand that file extension over to PHP before sending it to the user. If you removed this line, or someone deleted it by accident... your PHP files might be sent over as plain text, showing your code / passwords.

You can make Apache hand over file extensions over to PHP by simply adding more stuff there, .html, .htm, .asp, .txt, whatever you want.

There really is no more of a chance that .html files being parsed by PHP will be displayed without parsing ( ie plain text ) than there is that .php files being parsed by PHP will be displayed without parsing.

Any file that is going to be handed over to PHP before being sent to the user is going to be very, VERY slightly slower than if just Apache sends it. Marginally and negligibly slower. You won't ever notice the difference.

Passwords and other important files should be stored outside teh document root, so that even if Apache / PHP bombs out, you shouldnt' need to worry about those getting exposed.

Search engines don't care about file extensions. There just happens to be a lot more .html and .htm files than .php / .asp / .jsp, so it seems that way.

dartcol

Thanks for the explanations. All noted and filed. It's always good to have things you're vague about firmed up so you know what you're talking about to your boss! Time to lead him gently into the new world ... 😉

zoobie

Fire him 🆒

Chizzad

codeDV... my site is hosted by a webhosting company so I dont have access to anything over the root directory. Is there anything I could do to prevent users from seeing my passwords and/or getting to them?

Also, this has been one of the most informative threads I have read in a long while... 🙂

-Chad

superwormy

Another options might be to stick it in a folder, and password protect the folder.

It's also a good idea to name the file somethign starting with a period, along the lines of .password ( or maybe something less obvious, .myfilenamewhichnoonewillguess, but of course security through secrecy / obscurity isn't really security. But still, what can it hurt right? ) or something like that. Apache defaults to ignoring filenames that begins with . ( .htaccess, .htpasswd ) when displaying directory indices.

But of course, they won't be able to get a directory list anyway, because you're also going to put a index.htm or index.html file in that directory as well, just a blank page that shows them nothing at all so they can't get that directory listing from Apache.

codeDV

You can set permissions on each object (file and folder) on your web server. The way in which you do this depends on how you access your root directory.

Each object has an Owner (author), Group (the users of the group to which the owner belongs) and others (any user who is not a member of the owners group) associated with it.

You can then in turn set three types of permission for the Owner, group and others categories. Theses are read (view file or directory), write (wrtie to file or directory) and execute (list directory contents or execute file).

A file that can only be changed by the owner would have the following permissions:

owner RWX
group R-X
others R-X

A file that can only be changed by its owner and read by its associated goup would have these permissions:

owner RWX
group R-X
others ---

The above would effectivly stop a web viewer from seeing your file as he/she would fall in the the others category.

For a much more detailed explanation on file permissions see this article.