2

Are there any security / performance concerns if we set the Apache web server to configure Apache to handle all HTML as PHP? I was specifically referring to:

AddType application/x-httpd-php .php .php3 .php4 .html

I was in a situation where I needed to add some PHP logic into some HTML files; ideally, I didn't have to change the filename e.g. page.html to page.php (to keep the page rank, etc. for page.html).

This is related to the following question: httpd AddType directive

Edits: From the existing answers / comments below, it looks like the community suggests to either use redirects or only target specific HTML files. The constraint is that I am redesigning an existing site (400+ HTML pages; each of them uses some sort of Dreamweaver template that pulls in the header and footer from different files). I was hoping to completely shy away from Dreamweaver move into something non-proprietary. So, I am down with two options:

  1. Use Server Side Includes (SSI) to pull in the header and footer. This will result in all my HTML files to be decorated with SSI.
  2. Sprinkle some PHP snippet to include the header and footer. For this choice, I have to make sure the file name stays unchanged.
Community
  • 1
  • 1
moey
  • 10,587
  • 25
  • 68
  • 112
  • 3
    Have you considered using URL rewriting instead? – Oliver Charlesworth Aug 24 '11 at 20:29
  • 2
    don't forget that it will be readable, if you accidentally reconfigure ie. forget about this – Igoris Azanovas Aug 24 '11 at 20:30
  • Oli has a good point here. A rewrite would be a very safe (not to mention simple) sollution. – Damien Aug 24 '11 at 20:31
  • There'd be some extra parseing overhead on the pure-html files, but otherwise there shouldn't be any difference... UNLESS some of those HTML pages contain PHP code as examples, in a "do-not-execute" type situation. Now that .html files are parsed/executed as php scripts, that sample code would be executed as wel. – Marc B Aug 24 '11 at 20:33

2 Answers2

6

The more files the server determines it needs to pass through the PHP interpreter, the more overhead involved, but I think this goes without saying. If your site does not have ANY pages with plain HTML, then you're already paying all the performance penalties that you could possibly pay - adding HTML to the list is no different in this case than simply renaming all the files to have a .php extension.

The real performance penalty would come if you do have plain HTML pages - the server will needlessly pass these pages to PHP for interpretation when none is necessary. But even then, it isn't dramatic - the PHP interpreter won't be needed for those HTML pages, so it won't do anything aside from determining that it doesn't need to do anything. This has a cost, but it isn't significant.

Now, if we're talking high-volume here, every little bit of performance matters and this would not be a practicable solution. For low- to mid-volume sites, however, the performance penalty would be nill.

If this is a one-time change and there are a limited number of files that are affected, then it may be more conservative to use a FilesMatch directive.

<FilesMatch "^(file_one|file_two|file_three)\.html$">
  AddType application/x-httpd-php .html
</FilesMatch>
Chris Baker
  • 49,926
  • 12
  • 96
  • 115
  • I see you have added `FileMatch` also ;) Also +1 because we all know who really gave you the -1 don't we? Return the favor if you'd like. – Amir Raminfar Aug 24 '11 at 20:47
  • I did return the favor, but I am not certain who it is downvoting these factual answers. I don't think any of the answers here are patently false, or even ill-advised - they all should be upvoted or non-voted. Meh. :) – Chris Baker Aug 24 '11 at 20:50
4

I disagree with Tuga. I don't think you should make this change for all your files. Anytime you deal with security, you should try to control the environment. Doing it only for one file is probably the safest. You could do something like

<FilesMatch "^file_name\.html$">
AddType application/x-httpd-php .html
</FilesMatch>

This will only match file_name.html and process it as .php where it is much safer to do this than treat ALL .html files as php.

Amir Raminfar
  • 33,777
  • 7
  • 93
  • 123