How easy is it to obtain PHP files from a Server?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
myleow
Forum Contributor
Posts: 194
Joined: Mon Jun 21, 2004 7:05 pm
Location: California

How easy is it to obtain PHP files from a Server?

Post by myleow »

I was wondering if there is a way to obtain PHP files from the server. Let say i setup a server that serves PHP pages. How would you be able to obtain those PHP source files?

In other words, how easy is it to "borrow" other people's PHP files.

How to protect against it.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

you cant unless you somehow gain access to thier server
Archy
Forum Contributor
Posts: 129
Joined: Fri Jun 18, 2004 2:25 pm
Location: USA

Post by Archy »

Or unless you change the permissions of the files to be read / write access from out server.
myleow
Forum Contributor
Posts: 194
Joined: Mon Jun 21, 2004 7:05 pm
Location: California

Post by myleow »

Oh so there aren't anyway to get the PHP first unless you gain access to the server. That's a relief.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

dont let it be too releiving though. gaining access to the server is possible to do if the code isnt written tightly, sometimes its VERY easy.

if you need security, you really should read up on php security, theres tons if you search google.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

It's as easy as

Code: Select all

include($_REQUEST['page']);
stuff like that should never be in your script... if a variable should only contain letters use preg_match to check if it does... if you are includeing files from /pages/ make sure to do stuff to your variables to make sure they are what you think they are....
In the previous example some one could alter the variable $_REQUEST['page'] and set it to http://somesite.com/stuff/hacks.txt
and in hacks.txt put some php code and then your server would run their php code, their php code could do anything includeing read out your php files, this is called php injection and is very easy to prevent against by doing something similar to this:

Code: Select all

<?
$page="/pages/" . $_REQUEST['$page'] . ".php";
if (dirname($page)=="/pages/") {
    include($page);
}
?>
I find the best way to learn about ways to protect your scripts is to think like the "hackers"

http://www.hackthissite.org is a place to legally hack which can teach you a great deal about security, I would highly recomend learning to "hack" not to destroy sites but so you can make your site more secure!

It may sound like php is a vulnerable language but it's really not THAT vulnerable, it's just the way some people code. With a few security measures in place php is very secure however... just make sure you always check variables to see if they are what you think they should be and always turn of register globals!!!

Hope i helped
Post Reply