Read a web page without the php being parsed
Moderator: General Moderators
Read a web page without the php being parsed
Can someone load a web page that consists of php and be able to read the code? apart from when php is down on the server.
I don't want to do this or know the name of any program that will do it, I just want to know if this is a possibility so I know how secure the php code is on an actual web page.
Thanks
I don't want to do this or know the name of any program that will do it, I just want to know if this is a possibility so I know how secure the php code is on an actual web page.
Thanks
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
So long as PHP is set to parse the files in the requested folder, there shouldn't be an issue of the code being readable unless you build them with such a "feature." That does not mean the code could not be read by, say another user on the same server and the folders aren't read protected, however that is an issue the server administrator should deal with (and frankly, that's what they're paid to do, among other things)
OK, but does anyone know if a program exists, one that someone could use maliciously from their computer to grab the html/php from a web page without it having been parsed? maybe some program like a browser that shows the unparsed text 'code' from the web page rather than the parsed version as say Internet Explorer would do?
The reason I ask is that I am fairly sure that I had read a couple of years back that this was a possibility and something that developers should be aware of, but I don't seem to have come across this since.
Thanks
The reason I ask is that I am fairly sure that I had read a couple of years back that this was a possibility and something that developers should be aware of, but I don't seem to have come across this since.
Thanks
I've been able to look at code with the files were saved as somefile.class or somefile.inc through a browser. In which case the interpreter doesn't know what it is looking at and spits it out as text. It depends on your browser. But if you have these kinds of files you can protect them with a .htaccess file.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Guess that was a bit misleading. What I meant was if the file get's off the server and away from the interpreter than it's up to your browser from there -- download, onscreen text etc.Jcart wrote:It depends on the server configuration, depending on whether or not that extension has been mapped to the PHP interpreter.neophyte wrote:It depends on your browser.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Nope, its actually theDo you mean that the DirectoryIndex from <IfModule mod_dir.c> in the httpd.conf file
Code: Select all
AddType application/x-httpd-php .phpBut if this is set to parse php the web site php files will be parsed, including any .class or .inc files, correct?Nope, its actually the
Code:
AddType application/x-httpd-php .php
in your httpd.conf
Sorry, but when I asked my question I was actually referring to a web site that was running and set up to parse php.
Thanks
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Providing you end all your files in .php and the server parses PHP files it's not possible. There's no insecurity with PHP in this way.
If you're used to naming files with .inc etc.... I find that using:
filename.class.php
filename.inc.php
filename.tpl.php
Works well
The places you'd see insecurities are if you do something silly like file_get_contents('phpfile.php'); rather than include(). Then of course there's actual server vulnerablilities if it's badly maintained/secured but this is out of PHP's hands....
If you're used to naming files with .inc etc.... I find that using:
filename.class.php
filename.inc.php
filename.tpl.php
Works well
The places you'd see insecurities are if you do something silly like file_get_contents('phpfile.php'); rather than include(). Then of course there's actual server vulnerablilities if it's badly maintained/secured but this is out of PHP's hands....