Page 1 of 1
Read a web page without the php being parsed
Posted: Thu Mar 02, 2006 2:56 pm
by mikebr
Can someone load a web page that consists of php and be able to read the code? apart from when php is down on the server.
I don't want to do this or know the name of any program that will do it, I just want to know if this is a possibility so I know how secure the php code is on an actual web page.
Thanks
Posted: Thu Mar 02, 2006 3:16 pm
by feyd
So long as PHP is set to parse the files in the requested folder, there shouldn't be an issue of the code being readable unless you build them with such a "feature." That does not mean the code could not be read by, say another user on the same server and the folders aren't read protected, however that is an issue the server administrator should deal with (and frankly, that's what they're paid to do, among other things)
Posted: Thu Mar 02, 2006 3:31 pm
by mikebr
OK, but does anyone know if a program exists, one that someone could use maliciously from their computer to grab the html/php from a web page without it having been parsed? maybe some program like a browser that shows the unparsed text 'code' from the web page rather than the parsed version as say Internet Explorer would do?
The reason I ask is that I am fairly sure that I had read a couple of years back that this was a possibility and something that developers should be aware of, but I don't seem to have come across this since.
Thanks
Posted: Thu Mar 02, 2006 3:40 pm
by feyd
the code is never transmitted to the requesting agent unless the code or the server does so on it's own. If php handles the request, php only returns what the script outputs, be that the code from the script or HTML or an image.
Posted: Thu Mar 02, 2006 3:46 pm
by mikebr
OK, I guess what you are saying is that this is not possible to do.
Thanks
Posted: Thu Mar 02, 2006 4:01 pm
by neophyte
I've been able to look at code with the files were saved as somefile.class or somefile.inc through a browser. In which case the interpreter doesn't know what it is looking at and spits it out as text. It depends on your browser. But if you have these kinds of files you can protect them with a .htaccess file.
Posted: Thu Mar 02, 2006 4:04 pm
by John Cartwright
neophyte wrote:It depends on your browser.
It depends on the server configuration, depending on whether or not that extension has been mapped to the PHP interpreter.
Posted: Thu Mar 02, 2006 4:10 pm
by mikebr
neophyte,
basically I was refering to .php files rather than .class or .inc files, but...
if you have these kinds of files you can protect them with a .htaccess file.
as a matter of interest, can you point me to where I might find more out on this?
Thanks
Posted: Thu Mar 02, 2006 4:11 pm
by chrys
If Apache is configured to interpret .php files, you cannot see the code by downloading the file via HTTP. This is a security feature.
Posted: Thu Mar 02, 2006 4:15 pm
by mikebr
Jcart,
depending on whether or not that extension has been mapped to the PHP interpreter.
Do you mean that the DirectoryIndex from <IfModule mod_dir.c> in the httpd.conf file should have default.class and default.inc listed to avoid these from being read as text?
Thanks
Posted: Thu Mar 02, 2006 4:16 pm
by neophyte
Jcart wrote:neophyte wrote:It depends on your browser.
It depends on the server configuration, depending on whether or not that extension has been mapped to the PHP interpreter.
Guess that was a bit misleading. What I meant was if the file get's off the server and away from the interpreter than it's up to your browser from there -- download, onscreen text etc.
Posted: Thu Mar 02, 2006 5:52 pm
by John Cartwright
Do you mean that the DirectoryIndex from <IfModule mod_dir.c> in the httpd.conf file
Nope, its actually the
Code: Select all
AddType application/x-httpd-php .php
in your httpd.conf
Posted: Fri Mar 03, 2006 2:59 am
by mikebr
Nope, its actually the
Code:
AddType application/x-httpd-php .php
in your httpd.conf
But if this is set to parse php the web site php files will be parsed, including any .class or .inc files, correct?
Sorry, but when I asked my question I was actually referring to a web site that was running and set up to parse php.
Thanks
Posted: Fri Mar 03, 2006 4:58 am
by mickd
it wouldnt parse the .class and .inc files because it wasnt told to parse files with those extentions. you need to add them in.
i believe.
Posted: Fri Mar 03, 2006 5:24 am
by Chris Corbyn
Providing you end all your files in .php and the server parses PHP files it's not possible. There's no insecurity with PHP in this way.
If you're used to naming files with .inc etc.... I find that using:
filename.class.php
filename.inc.php
filename.tpl.php
Works well
The places you'd see insecurities are if you do something silly like file_get_contents('phpfile.php'); rather than include(). Then of course there's actual server vulnerablilities if it's badly maintained/secured but this is out of PHP's hands....