Does changing the .htacces file to allow the programmer to have PHP codes in an HTML file (extension .html) compromise with the security of the page?
Is that the reason why files with any PHP scripting are given the extension .php?
No. It does not yield any security problem if the file is interpreted and executed as a php file. You can even make any extension like ".asp",".jsp" anything you want. Furthermore this may sound a more secure way since an attacker sees the extension and thinks that it is an asp file.
However in my opinion it is not a good practice and may make development more confusing. I think if it is a php file the extension should be .php
If your desire is to provide security You should check url rewriting and hiding the extension. This way is a more convenient approach.
Actually, having your files containing PHP scripts bear .html extensions provides more security, not less. This kind of security, known as "security by obscurity", affords a small measure of protection. When a malicious hacker comes across an HTML page, s/he may assume that the page was produced by HTML rather than being the output of a page containing a PHP script. However, if the hacker is sophisticated, s/he could verify whether you run PHP on your server by checking header info returned by the web server. It's a good idea to set the php.ini setting expose_php = Off to avoid exposing PHP in the header information; see Manual.
If you use a .htaccess file or are able to modify your web server configuration settings, it will impact performance by having all HTML files parsed by the PHP interpreter, including those pages that contain pure HTML. Sending pages that don't require PHP parsing is undoubtedly a wasted effort, but the amount of time involved is reputedly insignificant. If you can modify the settings in your web server's config file, that's preferable since using a .htaccess file may cause your website to perform a little slower.
This kind of security is insufficient in itself to provide optimal security. You still must regard all form data as possibly tainted and validate it. Know what your form values should be and test for those values. The best security involves multiple layers of protection.
See the Manual for more ideas about "security by obscurity". Note, that page does not recommend URL rewriting as a security measure, although it is an option. One should have a very good understanding about URL rewriting since the subject is far from trivial.
"... it is easy to make mistakes when configuring mod_rewrite which can turn into security issues." (See Apache Week, mod_rewrite)
However, if you neglect to set expose_php = Off in your php.ini file the URL rewriting may not really hide the PHP as you might suppose. If you run a php script containing this line:
print_r(get_headers($url,1));
you could get back some very revealing info, as the following partial result shows when I set $url to a page at one of my favorite sites:
Array
(
[0] => HTTP/1.1 200 OK
[Server] => nginx/1.6.2
[Date] => Thu, 18 Dec 2014 09:59:06 GMT
[Content-Type] => text/html; charset=utf-8
[Connection] => close
[X-Powered-By] => PHP/5.5.11-2
Actually changing file endings of PHP files is rather dangerous. I experienced some problems first hand:
If one of these cases happen, any programming included in your PHP file can now be read by everybody. If there are configuration settings in your PHP file (DB connections, etc.) or some common programming mistakes (print $_GET['search'];) every attacker will now about them.
If your really want to keep your HTML file-ending, consider mod_rewrite.
The only thing security related that you can add to .htaccess is user authentication. Beyond this, there is nothing that .htaccess can provide that will enhance the security of your application.
Do not rely on .htacess gymnastics for security purposes.
If you are porting over an existing website and doing it in stages, then it makes sense to use the same URL as those that might be bookmarked or referred to by other areas of your application; in this case you can use .html
If possible, try to use redirection and you can do that using .htaccess; but in some cases (for example, if you are trying to convert an existing file that is the target of a POST form into PHP) adding a redirect will make the form unusable as the payload will be discarded.