Page 1 of 1
How easy is it to obtain PHP files from a Server?
Posted: Wed Nov 24, 2004 5:37 pm
by myleow
I was wondering if there is a way to obtain PHP files from the server. Let say i setup a server that serves PHP pages. How would you be able to obtain those PHP source files?
In other words, how easy is it to "borrow" other people's PHP files.
How to protect against it.
Posted: Wed Nov 24, 2004 5:40 pm
by rehfeld
you cant unless you somehow gain access to thier server
Posted: Wed Nov 24, 2004 5:42 pm
by Archy
Or unless you change the permissions of the files to be read / write access from out server.
Posted: Wed Nov 24, 2004 7:31 pm
by myleow
Oh so there aren't anyway to get the PHP first unless you gain access to the server. That's a relief.
Posted: Wed Nov 24, 2004 7:38 pm
by rehfeld
dont let it be too releiving though. gaining access to the server is possible to do if the code isnt written tightly, sometimes its VERY easy.
if you need security, you really should read up on php security, theres tons if you search google.
Posted: Wed Nov 24, 2004 8:41 pm
by josh
It's as easy as
stuff like that should never be in your script... if a variable should only contain letters use preg_match to check if it does... if you are includeing files from /pages/ make sure to do stuff to your variables to make sure they are what you think they are....
In the previous example some one could alter the variable $_REQUEST['page'] and set it to
http://somesite.com/stuff/hacks.txt
and in hacks.txt put some php code and then your server would run their php code, their php code could do anything includeing read out your php files, this is called php injection and is very easy to prevent against by doing something similar to this:
Code: Select all
<?
$page="/pages/" . $_REQUEST['$page'] . ".php";
if (dirname($page)=="/pages/") {
include($page);
}
?>
I find the best way to learn about ways to protect your scripts is to think like the "hackers"
http://www.hackthissite.org is a place to legally hack which can teach you a great deal about security, I would highly recomend learning to "hack" not to destroy sites but so you can make your site more secure!
It may sound like php is a vulnerable language but it's really not THAT vulnerable, it's just the way some people code. With a few security measures in place php is very secure however... just make sure you always check variables to see if they are what you think they should be and always turn of register globals!!!
Hope i helped