Read a web page without the php being parsed

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Read a web page without the php being parsed

Post by mikebr »

Can someone load a web page that consists of php and be able to read the code? apart from when php is down on the server.

I don't want to do this or know the name of any program that will do it, I just want to know if this is a possibility so I know how secure the php code is on an actual web page.

Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

So long as PHP is set to parse the files in the requested folder, there shouldn't be an issue of the code being readable unless you build them with such a "feature." That does not mean the code could not be read by, say another user on the same server and the folders aren't read protected, however that is an issue the server administrator should deal with (and frankly, that's what they're paid to do, among other things)
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Post by mikebr »

OK, but does anyone know if a program exists, one that someone could use maliciously from their computer to grab the html/php from a web page without it having been parsed? maybe some program like a browser that shows the unparsed text 'code' from the web page rather than the parsed version as say Internet Explorer would do?

The reason I ask is that I am fairly sure that I had read a couple of years back that this was a possibility and something that developers should be aware of, but I don't seem to have come across this since.

Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the code is never transmitted to the requesting agent unless the code or the server does so on it's own. If php handles the request, php only returns what the script outputs, be that the code from the script or HTML or an image.
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Post by mikebr »

OK, I guess what you are saying is that this is not possible to do.

Thanks
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

I've been able to look at code with the files were saved as somefile.class or somefile.inc through a browser. In which case the interpreter doesn't know what it is looking at and spits it out as text. It depends on your browser. But if you have these kinds of files you can protect them with a .htaccess file.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

neophyte wrote:It depends on your browser.
It depends on the server configuration, depending on whether or not that extension has been mapped to the PHP interpreter.
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Post by mikebr »

neophyte,

basically I was refering to .php files rather than .class or .inc files, but...
if you have these kinds of files you can protect them with a .htaccess file.
as a matter of interest, can you point me to where I might find more out on this?

Thanks
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

If Apache is configured to interpret .php files, you cannot see the code by downloading the file via HTTP. This is a security feature.
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Post by mikebr »

Jcart,
depending on whether or not that extension has been mapped to the PHP interpreter.
Do you mean that the DirectoryIndex from <IfModule mod_dir.c> in the httpd.conf file should have default.class and default.inc listed to avoid these from being read as text?

Thanks
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Jcart wrote:
neophyte wrote:It depends on your browser.
It depends on the server configuration, depending on whether or not that extension has been mapped to the PHP interpreter.
Guess that was a bit misleading. What I meant was if the file get's off the server and away from the interpreter than it's up to your browser from there -- download, onscreen text etc.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Do you mean that the DirectoryIndex from <IfModule mod_dir.c> in the httpd.conf file
Nope, its actually the

Code: Select all

AddType application/x-httpd-php .php
in your httpd.conf
mikebr
Forum Contributor
Posts: 243
Joined: Sat Sep 28, 2002 7:05 am

Post by mikebr »

Nope, its actually the

Code:

AddType application/x-httpd-php .php


in your httpd.conf
But if this is set to parse php the web site php files will be parsed, including any .class or .inc files, correct?
Sorry, but when I asked my question I was actually referring to a web site that was running and set up to parse php.

Thanks
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

it wouldnt parse the .class and .inc files because it wasnt told to parse files with those extentions. you need to add them in.

i believe.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Providing you end all your files in .php and the server parses PHP files it's not possible. There's no insecurity with PHP in this way.

If you're used to naming files with .inc etc.... I find that using:

filename.class.php
filename.inc.php
filename.tpl.php

Works well :)

The places you'd see insecurities are if you do something silly like file_get_contents('phpfile.php'); rather than include(). Then of course there's actual server vulnerablilities if it's badly maintained/secured but this is out of PHP's hands....
Post Reply