Geek Answers Handbook

Can people see my PHP code if the rendering fails?

To run PHP, I had to enable Enable on the Apache web server. No one can really see my .php files, because when they are extracted by the server, they are displayed, and the client sees only css / html / whatever. It can just highlight my novelty with PHP.

Is it possible for someone to violate the PHP rendering part of my server so that clients can see my .php code when they request a page?

And if this can happen, what precautions can I take to keep my sales code private?

Again, this may not even be a real problem, but I would like to know.

+8
php apache source-code-protection
source share
6 answers

There are two ways to do this:

  • Incorrect configured web server that does not execute PHP files. This has nothing to do with the user causing the error.
  • Launch custom debugging features that display errors with code on the screen. For example, if you use a third-party structure, this can automatically do this. The user can run something like this.

To prevent problems in any of these situations:

  • Do not embed sensitive information (such as passwords) in the source files. Instead, include them from files that live outside the web root. Therefore, if your source becomes visible, no one will be able to access this personal data.

  • Do not display errors on the screen during production. The database password may be displayed in an exceptional case.

  • Be sure to turn off any development / debugging settings during production.

+6
source share

As others have said, a misconfigured web server that processes .php files as plain text will happily serve your source code.

Most frameworks (both state and domestic) nowadays store very small PHP code in an area accessible to the Internet. Typically, there is one index.php file in the document’s root directory that includes and calls code in other files that are completely outside the document root.

Usually you will have something like this:

/path/to/proj/ <-- your project root /path/to/proj/application <-- holds most of your appication code /path/to/proj/lib <-- third-party libraries go here /path/to/proj/public <-- your web server uses this as the document root. /path/to/proj/public/index.php <-- single point of entry into your applicaiton. all requests are routed through here. /path/to/proj/public/images <-- static resources, like images, also live under the docroot.

Rewrite rules are typically used to sort any request through one public index.php file.

With this setup, if your web server had to be configured incorrectly so that it could pass your code, you would be pretty much covered. The only leak will be your index.php file, which is probably a couple of include / require statements and one function / method call. Nothing special.

Look at the standard Zend Framework or Symfony (or any framework, really), the layout of the file, for a clearer image.

+7
source share

Is it possible for someone to violate the PHP rendering part of my server so that clients can see my .php code when they request a page?

This can only be when the web server software has been misconfigured so as not to process .php files like PHP. There is no custom way to do this.

Several times, when this happened in the past on high-profile sites, there were configuration errors and typos, for example, the <?php tag was not opened correctly, thus displaying the rest of the code in this single file.

+4
source share

Not. PHP code correctly configured will not output itself , unless you tell it . (Misconfigured servers that don't know that they should execute .php files will probably just output them as plain text. In this case, you will have problems.)

You only need to keep track of this in rare situations - for example, when you extract the contents of a file and return it to the user, you can add verification that the extracted file is not your PHP code.

But in 99 out of 100 cases you do not need to worry about it.

+1
source share

This is not a normal problem, but writing / using unreliable PHP (and other software for that matter) can leave holes. For PHP, it is important to use defensive programming, such as SQL escape queries, which include any user input. Anti-aliasing of special characters (htmlentities () helps, but this is not always enough) and to be sure of safety that you allow people to enter that directly affects your code and databases.

+1
source share

I would say that it really depends on the security of the server itself, if it has become vulnerable to attacks, the likelihood that your codes may also be compromised.

Regarding the fact that PHP is also exposed to its server settings, in the past I saw people asking why they see their PHP code displayed on a web page that is called using a short <? tag <? , which by default is usually not allowed to servers causing PHP mapping.

+1
source share

More articles:


All Articles