.php

High risk

PHP script

Server-side PHP source. Powers a huge slice of the web via WordPress, Laravel, and classic LAMP stacks.

MIME types

application/x-php
text/x-php

Category

code

What opens this file

php CLI
PhpStorm
VS Code + Intelephense

How to open by OS

Windows

XAMPP, WSL, Docker.

Mac

Homebrew `php`, MAMP.

Linux

Distribution php-fpm.

Ios

None.

Android

php via Termux.

Safety notes

eval and include $user_input are straight-line RCE. Older PHP frameworks still get hammered.
Compromised WordPress themes and plugins often plant a .php dropper. Monitor file integrity.

Common mistakes

Legacy settings (register_globals, magic_quotes) left behind in config remain dangerous. Move to PHP 8+ with declared types.
Concatenating SQL strings with . invites SQL injection. Use PDO prepared statements.

Related extensions

References

PHP official site