Page 1 of 1

Php code visibility question

Posted: Mon Apr 25, 2011 3:58 pm
by Magnumwolf
Hi,

Ive just started learning php and im begining to get a little confused with some elements of php, the main issue being around the users visability of php code.
I have noticed that if you select the "view page source" option on a webpage in firefox the HTML code is shown but not the php, i assume that this is because either

1) The firefox source viewer does not support php
or
2) The web server (apache in this case) "compiles" the php and therefor the original code is not passed on to the webpage user

The reason that this interests me is that I have the following code which holds the username and password for my MySQL database hard coded into a php file

Code: Select all

class DataBaseConfig
{
    public $Username = "root";
    public $Password = "password";
    private $m_Localhost = "LocalHost";
    private $m_DatabaseName = "UsersDatabase";
    private $m_DatabaseTableName = "UserData";
    
    public function ConnectToDataBase()
    {
        $DatabaseConnection = mysql_pconnect($this->m_Localhost, $this->Username, $this->Password);
        if (!$DatabaseConnection)
            echo "Error connecting to database.\n";
        mysql_select_db($this->m_DatabaseName) or die ("Unable to select database!");
    }
I am interested to know if it would it be possible for someone to view the code without having direct access to the web server that is holding all of my files?
I would also be interested to know if this is how database connection information is commonly stored or are other more secure methods used?

If anyone could help me to understand this it would be greatly appreciated.

Thanks,
Magnumwolf

Re: Php code visibility question

Posted: Mon Apr 25, 2011 4:21 pm
by strafingmoose
PHP is an interpreter. The way the web server is configured is that if a client requests a file ending with .php, it will call PHP's interpreter. The script then controls the output seen by the client.

Is it impossible to view the raw content of file if the web server has associated it with an interpreter unless it gets hacked.

I also have been wondering if thre are more secure ways of holding such information.

Re: Php code visibility question

Posted: Mon Apr 25, 2011 5:52 pm
by superdezign
There's no need to worry. The only people with access to that information are the people with access to your server or to your FTP. As long as you don't store it inside of anything visible on the client-side, such as in cookies, then it's safe.

Re: Php code visibility question

Posted: Mon Apr 25, 2011 6:25 pm
by califdon
strafingmoose wrote:Is it impossible to view the raw content of file if the web server has associated it with an interpreter unless it gets hacked.
Just to emphasize the if there, a misconfigured web server could easily dump all the PHP code instead of interpreting it. I don't think this is at all common, so under "normal" conditions, no PHP is sent to the browser, but for a very sensitive application, this might be something to consider. Also, if an error exists in the source code, such as a malformed <?php tag, the server might not recognize the PHP code. Again, these are hopefully rare, but just so you don't go away thinking that "nothing could possibly go wrong ... go wrong ... go wrong ... go wrong ..."