Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

is there a way to get the php source with out having the file... 1

Status
Not open for further replies.
unborn

unborn

Programmer
Jun 26, 2002
362
0
0
US
wondering for security issues.. because i dont want anyone getting my info if i have it in the php script.. can download managers dl the script or php or other code be made to get the script coding with out having login access to the site? if so perhaps you can share a few ways to prevent this.


thanks

in the begining man created code.
in the end code will create man.
clones are coming only matter of time.
examples?
 
Sort by date Sort by votes
PHP executes on the server. The client has no idea that the page it is fetching was even created with PHP, except for a few extra headers which can be turned off.

//Daniel
 
Upvote 0 Downvote
wicked usefull info thanks...

in the begining man created code.
in the end code will create man.
clones are coming only matter of time.
examples?
 
Upvote 0 Downvote
I tried to force download manager to dl source code in the php file placed on the server and it downloaded only the html output from the script so the script has been executed even when the request for downloading has been made. It seems that PHP provides some basic security mechanism.
 
Upvote 0 Downvote
to be more accurate, its apache (or whatever web server daemon you use) that is providing the security, meaning when it gets a request for a web page, it is parsed by the PHP module first because the web server is built with that support.

I know of no way, other than a D.O.S. attack on your apache server, to get apache to NOT parse the file through PHP before it's sent on to the client.
 
Upvote 0 Downvote
As for security:

There is one dirty trick.
If SYMLINKS are enabled on apache and you name your SYMLINK this.txt and point it to a PHP source file it will display asis.

If anyone could write a script that includes the PHP source file and just prints it, it will not be interpreted by Apache since it is output from PHP.

The scenario above is only if someone has access to your server. It is, however, worth knowing.
 
Upvote 0 Downvote
ya i tried maken php scripts to show pure php but im sort of new so i didnt know if i just suck or if you really couldnt do it.. but it makes sence... because in php you store your database user and passwords and stuff.. so i imagine they would do their best to keep source out of others hands.

in the begining man created code.
in the end code will create man.
clones are coming only matter of time.
examples?
 
Upvote 0 Downvote
Aside from DRJ478's note it is also possible to view PHP source if the server admin really screws up the server/PHP configuration and allows PHP to be read without processing...

Q: what happens if you try to view a PHP file on a server without PHP?
A: plain PHP source text

This situation is extremely rare but conceivable.

You might want to consider PHP encoding like that of the Zend Encoder (zend.com). This creates files that cannot be read even if an unauthorized user gains access to the pre-processed scripts.

- - picklefish - -
 
Upvote 0 Downvote
I'm also not sure that that's complete... I'll run some tests when I have a chance, but there're protocols like BITS and such which often let's a person request the actual file... I think I've done this with PHP on a php enabled server, but I'm not 100% on it.
 
Upvote 0 Downvote
This will go forever, but anyway, here's another thing to keep in mind:

If someone gains access to your MySQL username and password by getting to your PHP code you can always put another barrier in the way - but only if you administer your own MySQL server.

Define the database users that access MySQL through the web and restrict the IP of the hostname to your web server's IP. Give them absolutely NO privileges in the users table and only assign privileges on a dtabase or table level.

To gain access to the databases this will also require the hacker to spoof the IP and impersonate your host. If you set ingress filters at the border router level you should be all set against that.
 
Upvote 0 Downvote
ya im working on a *bought* server.. meaning i only have space on a server its not mine.

thanks for the very good points, makes me feel a little safer.

in the begining man created code.
in the end code will create man.
clones are coming only matter of time.
examples?
 
Upvote 0 Downvote
some programmers link the source code to the phps file

example
if you pull up index.php try pulling up index.phps

to try this yourself, just copy your php file over to a phps file. you can then pull up the new file and see the real code.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
114
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
unwanted spaces inserted into the middle of php-generated html email body 1
Replies
2
Views
57
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
118
vishvajit
vishvajit
cmayo
  • Locked
  • Question
Is PHP/PEAR MDB2 dead? Which PHP abstraction layer should I use?
Replies
1
Views
51
spamjim
spamjim
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
105
PeDa
PeDa

Part and Inventory Search

Sponsor

Back
Top