Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Protecting my php scripts

Status
Not open for further replies.
bclt

bclt

Programmer
Mar 13, 2005
363
GR
Hi,

i have a form that uses a script to show in the browser the results. How can i prevent the users from typing the url to the script to download it and see the code?

One thought of mine is to put the scripts one level up of (or in Could this work ?

And one other question (posted before but no answer)
- What have i done wrong to this: if a form has action="file.php" and hit submit the browser shows me the code of the script; whereas if i browse the file ( the browser show me the right result.


Tnx
 
Sort by date Sort by votes
What you see is the difference between viewing the file locally and viewing it through a web server. If users can only access your file through the web server, then you won't have to worry about them seeing the script. Is this page a web page on the Internet?

Lee
 
Upvote 0 Downvote
It will be sometime, when i will have learnt a little more on php. The scripts will not be in the hltm page but as single files .php . So don't worry?
 
Upvote 0 Downvote
User cannot see the source code of the script when it is properly named and served by the web server.
That means:
Be sure there are no backup files which could expose the code. Any editor that adds something and creates a backup is a potential risk for exposure.
Let's say your file is index.php and there's a backup index.php~ (emacs), or index.php.bak (e.g. EditPlus) then users could access those files (if they know they exist). Malicious users would certainly probe for such files with an automated exploratory process.
Keep really secure information outside the web server's document root. PHP can read on the filesystem, the Web server reads only below the web root.
Store passwords and usernames for database connections outside of the web root and use a require() or include() statement to get them into the script.
Theoretically a script could be as simple as:
Code: 
<?php
require('/usr/home/me/phpbin/index.php');
?>
All code would site outside the web root and is included with the require() statement. If the script which resides in the web area is compromised, the above code is all that would be exposed.
 
Upvote 0 Downvote
Don't get everything but thanks anyway.

Can you suggest me anything about the 2nd question in this thread ? I can't get php scripts work (<scriptname>.php) by setting a form action. They only work if i type
 
Upvote 0 Downvote
If the page with the form in it isn't run through a web server, the PHP page probably won't be run through the PHP interpreter. What is the exact URL of the page that refers to the PHP page as the form action?

Lee
 
Upvote 0 Downvote
I 'm testing in my pc not at a real server. Even if i copy the html page and the script in the localhost.

trollacious you said the right thing "probably won't be run through the PHP interpreter". That is happening. The interpretes works if i call the file script only in this way: If the file is called by the html page the browser won't execute the script but show me the code.
 
Upvote 0 Downvote
well, i think you have to have it on a server that supports php or install php on your computer... otherwise the php won't be parsed, and i think that's wat's causing the problem here.....
 
Upvote 0 Downvote
What operating system are you running? If you don't have a web server running, you won't be able to do what you want. When you put the script on the computer where others will have access to it, will that have a web server running?

Lee
 
Upvote 0 Downvote
Win XP Pro sp 1 & 2.
I have Internet Information Services running.

If i copy the script in C:\inetpub\ and open IE and write in the adrress bar " the script do run normally. Of course it prints some error messages because it is supposed to run after one html page to get some variables (textfield texts) and make some calculations
 
Upvote 0 Downvote
Okay, you have the solution to your problem then: run the script through the web server.

Lee
 
Upvote 0 Downvote
Lee,

so why should i use php and hot html? The script should run after hitting submit
 
Upvote 0 Downvote
Why should it run if you don't run it through the web server? Do you have PHP configured to run local scripts, too? If you're submitting a form, what do you have running to handle HTTP requests?

As for why you should use PHP rather than plain HTML, only you can answer that question. It looks like you need to process the variables from a submitted form, and that's best done with SOME kind of server side language. If you're running IIS, then you can use ASP, too, but it's your choice. If you don't need to handle form variables, then plain HTML would be fine. If you do, there's nothing in HTML to do that.

Lee
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Question
PHP Debugging
Replies
1
Views
276
cdlvj
cdlvj
W
  • Locked
  • Question
how to send checked row data in php
Replies
0
Views
132
wiltang2004
W
mervgh
  • Locked
  • Question
My own custom error handler
Replies
1
Views
292
Chris Miller
Chris Miller
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
468
SashaBuilder3
SashaBuilder3
R
  • Locked
  • Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
371
Chris Miller
Chris Miller

Part and Inventory Search

Sponsor

Back
Top