I have a website developed with HTML/CSS. I also have .SHTML files as I use includes for the common areas of all pages (menu, footer, etc.).
My website is hosted in a hosting service with CPanel.
Now I’d like to start working with PHP, in order to be able to read/write a MySQL database.
I want to be able to keep working with HTML files, but having PHP sections within them.
I was reading about how to enable HTML files to have PHP code inside, and for a CPaanel environment, I wrote I have to add this command to .htaccess file, located in website filesystem root:
AddType application/x-httpd-php5 .html .htm
As I work with HTML and SHTML files, I added this command:
After that, I was able to write HTML files with PHP code inside, and it worked fine.
BUT … when I access to a SHTML page, the browser understood something wrong, and it tried to save the page.
So, my question is … how to enable HTML code to have PHP sentences within, avoiding generate side effects??
PHP scripts are not normally run from .html files, they are normally run from .php files (they may have either a .php4 or a .php5 extenstion if there is more then one version of php on a server, and it will depend on the .php4 or the .php5 as to what version of php processes the file).
Theres nothing wrong with running PHP from .html files as long as you are aware that if the .htaccess file fails to be read for any reason that the pages will not have the PHP processed.
You might need the following line as well as the one adding the type:
It’s possible that there are tags inside your html or shtml files which php executes as it’s own. Just a hunch, but check for any short tags used in your html/shtml files to see if php is interpreting them and possibly causing you errors.
They would be:
<?= ?>
<? ?>
<?php ?>
<script language=“php”></script>
the open part at the beginning, the close part at the end, and random bits in the middle.
I am not sure what would cause that to happen. I have never come across any examples of where it has happened. So the risk from using a .htaccess file would be very low.
It is low enough risk that I haven’t bothered renaming any of the thousands of pages on my site that started out as HTML and now include a lot of PHP - or rather the content in the .html file is wrapped inside a copuple of functions and then there’s an include at the end that loads in a common PHP script that supplies all the common page content and calls each of the functions at the spots where the unique parts of the page need to go.
If my .htaccess failed to work then the person viewing the page sees the unique part of the content without any of the common parts or formatting but doesn’t get to see very much PHP code if they view the source.
Anyway a .php file would suffer from the same issue if PHP were to stop running on the server for any reason. That’s slightly more likely to happen than that the .htaccess file breaks.
To secure the parts of the PHP that you don’t want people to be able to see (such as the config values supplying passwords etc) you place those parts in a file above the public folder and include them. That way ifn the rare situation where your PHP code becomes visible the person still can’t see anything useful.
I have but it’s usually because of a server upgrade of some form which jostles permissions, config files, etc. I will say it rarely ever happens (it happened to facebook once). The important thing to note is that you shouldn’t have anything in the files that are web accessible that you wouldn’t want viewable by the world. I usually use these files to include the main bits of my applications and then i dont have to worry about anything ending up out there like database passwords and what have you.
It doesn’t matter how likely it is; the fact is that you should realize that it can happen and make sure that the damage done when and if it happens, is minimal. So, don’t run .html as .php (instead, use RewriteRules to make it appear as though you’re serving up .html instead of .php – which you are actually serving), and try not put sensitive data in PHP files that might be seen by the whole world if PHP ever goes down.
The fact something almost never happens is never a reason or an excuse not to protect yourself against it (as far as coding is concerned).
If the PHP is exposed and you have sensitive data in the PHP of that file, like the username and password to your database, an unethical person could potentially log into your database and either cause havoc (delete everything) or if you store any important data there, like customer credit cards, they’d be able to steal that stuff, anyone working in PHP, especially with MySQL should read up on the security aspect first, “Essential PHP Security” is a good quick read, and I recommend it to anyone working in PHP.
