Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

View PHP code in browser 2

Status
Not open for further replies.
titanandrews

titanandrews

Programmer
Joined
Feb 27, 2003
Messages
130
Location
US
Hi,
I was wondering if it is possible to view someone's PHP code. My understanding is that the only way it can be seen is if the web server is configured wrong, but I want to know an expert opinion on this. Is it possible for someone to get your database connection information, or anything else that should be secure?

thanks,

Barry
 
Sort by date Sort by votes
PHP is a platform-agnostic programming language that can be used on a legion of operating systems with a multitude of web servers. It also makes use of vendor-written external libraries to support many of its function families. It is impossible to say, given that many variables, how susceptible your installation is to being hacked of whether your particular installation is susceptible to being hacked at all. Vulnerabilities of one OS or web server or library will not apply to another OS or web server or library.

So, is it possible that some brand of web server on some OS will have a buffer overflow or something that will allow a hostile entity to inappropriately view your PHP source, even if the web server is configured correctly? Probably.


And given the general nature of the question, I can only give general tips:[ul][li]Use a firewall.[/li][li]Patch your OS.[/li][li]Patch your web server.[/li][li]Patch PHP.[/li][li]Read the security section of the PHP online manual: [/li][ul]


Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
You have answered my question.
I am using Redhat 8.0 with Apache, which I presume is about as secure as you get.


thanks,

Barry
 
Upvote 0 Downvote
It's pretty much a more specific iteration of my previous advice.

With Linux, make sure that you are not running any daemons you do not need to run.

Even if you have a firewall on the border of your network, I recommend that you set up IPTables to also limit access to your server. You want to be as paranoid as possible.

Make sure you are running the latest version of Apache, either of the 1.3.x or 2.0.x series. Be restrictive in various capabilities you enable in various directories.

Make sure that you are running the latest version of PHP, which is currently 4.3.4. For maximum functionality, I run PHP as a module. I generally compile PHP from source because I can control which of PHP's functions are available. Don't go crazy adding modules you don't need, particularly in a production environment.

Take care to read the link I gave earlier on PHP security. There's nothing much not in there that I can tell you. The default php.ini includes best configuration practices, but you might want to review the settings anyway.



Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I just thought of a way to view PHP sources on the client side..I think..

Using a download manager such a Download Accelerator Plus .. or GetRight, putting in the full path to the file, and downloading it. Then you'd have their source code, would you not?

 
Upvote 0 Downvote
But, doesn't that use FTP. I don't think you would have access to directories within the Web Server. Right?


Barry
 
Upvote 0 Downvote
No, I don't believe it does use FTP.
When I had my Windows box, and used DAP5 I could just enter in the URLs in the download path, and download pretty much anything I wanted... CSS files, JS scripts, etc.

Unless of course they had some sort of anti-download script in place.. that wouldn't allow Download Managers access to the files.


As for the other question.. no it didn't allow me access to their server directories, just allowed me to snag their files.

 
Upvote 0 Downvote
I just tried it myself using Download Accelerator against this file (Just pulled it up at random) and it does not contain any PHP code when I download it to my local computer. Just the HTML. I believe the Web Server is going to translate the PHP no matter how you connect. If you do get this to work, I want to know.



Barry
 
Upvote 0 Downvote
Well then maybe it doesn't work. It's been quite awhile since I've been on a windows computer (now that I run Mandrake 9.1).

I guess you proved me wrong.. ah well.
And I suppose the only true way get the code is if your server gets cracked.
Good deal, and less for me to worry about.

 
Upvote 0 Downvote
As you have seen, download managers work with HTTP so you are simply making a request of your web server without the browser's visual interface. You cannot obtain the PHP source if it is passing through the web server properly.

If you are phobic about security, you might try the Zend Encoder from zend.com. This hides your code from even the web server administrator.

You might also place all of your secure PHP scripting in a non-public web folder on your server. You can call on these PHP pages as includes/requires.

- - picklefish - -

Why is everyone in this forum responding to me as picklefish?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Locked
  • Question Question
PHP Debugging
Replies
1
Views
728
cdlvj
cdlvj
W
  • Locked
  • Question Question
how to send checked row data in php
Replies
0
Views
607
wiltang2004
W
SashaBuilder3
  • Locked
  • Question Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
997
SashaBuilder3
SashaBuilder3
lflynnlrf
  • Locked
  • Question Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
403
spamjim
spamjim
PeDa
  • Locked
  • Question Question
Unwanted spaces in php HTML mail
Replies
4
Views
692
PeDa
PeDa

Part and Inventory Search

Sponsor

Back
Top