How do I stop people reading my PHP scripts 3

[towerbase]

I'm fairly new to PHP and have almost no knowledge of Unix as I develop under Windows.

I've written a small application in PHP which I've uploaded to a (Unix based) web hosting site. About 500 people have used it.

Today I received an email from someone commenting on my PHP scripts!

Fortunately, there's nothing of any real value in the scripts or the database.

How can I stop anyone accessing the PHP scripts?

Andrew
Hampshire, UK

 

[DRJ478]

Nobody should be able to read your scripts' source code if they are interpreted by the server - which I assume is the case, otherwise the scripts wouldn't work.
Maybe one of the following scenarios is true:
1. You have scripts that are included but do not end in a .php extension or extension that is interpeted as PHP. myfile.inc for example would be served as plain text by the server.
2. There are backup copies created by your editor that have an extension different from .php

These are the only scenarios I can think of.

 

[sleipnir214]

Perhaps your server (IIS, I presume) has anonymous FTP active, so that anyone with an FTP client can poke around on your server.

How patched is your server? There have been numerous IIS bugs which have exposed script sources.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[DRJ478]

I believe that he said:

I've written a small application in PHP which I've uploaded to a (Unix based) web hosting site

So, at least, IIS is out of the loop.

 

[sleipnir214]

DRJ478:

as I develop under Windows.

Not necessarily.


towerbase:
You need to look at all the places where a machine with your application on it is connected to the internet.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[towerbase]

Thanks for your help guys.

The web server's home page says it runs the FreeBSD system. All I do PHP wise under Windows is use a text editor to create my scripts. I then FTP them to the server and test them interactively. Bad practice I guess but I am very much at an early stage of learning PHP.

Maybe I have to use CHMOD ? I've not used that before.

Andrew
Hampshire, UK

 

[sleipnir214]

towerbase:
This is a web application which is being run at the hosting provider's server, right?

If you are distributing a script file to your users to run on their servers, you're going to need something like Zend Encoder if you want to distribute the script yet keep its source confidential.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[towerbase]

Yes, it is a script which is being run at the hosting provider's server.

I may have misled you in my original posting: I am not distributing script files to users.



Andrew
Hampshire, UK

 

[sleipnir214]

I would report this to my service provider. It's their server, so they're going to have to fix the problem.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[jimoblak]

Today I received an email from someone commenting on my PHP scripts!

What kind of comments? Did they reveal info that could only have been seen in the source or are they simply referring to the output of the scripts?

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?

 

[towerbase]

sleipnir,

I will report it to my service provider if I can't get it resolved in the next 24 hours. I don't know if they provide support at weekends.

picklefish,

Yes, they mentioned some of the variable names in the script.


I tried using CHMOD to take Public Read permission off the PHP script. It stopped the script file from being executed by the interpreter.

Could .htaccess have anything to do with it?



Andrew
Hampshire, UK

 

[towerbase]

Sorry guys, I think I have wasted your time. The variable names mentioned in the email were obtained from various calls to php scripts in my index.html file.

I have various hrefs like xxxx.php?sort=acond

and I assign acond to a variable $acond in my php script.


I jumped to the wrong conclusion because of this phrase in his email "Nosing around your source code ...". Call it paranoia, if you like.

Thanks for your efforts. I appreciate it so stars for you all as compensation.

Andrew
Hampshire, UK