Can bots scan code?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
skytreader
Forum Newbie
Posts: 7
Joined: Wed Sep 09, 2009 12:31 pm

Can bots scan code?

Post by skytreader »

Hello all. As I'm aware, bots scourge the net for email adds to spam. Hence, people has been implementing measures against such bots such as giving out their email adds on webpages in the form, someoneNOSPAM@NOBOTexample.com, or some other distortion readily recognizable to humans (and not to bots). However, I've been thinking lately, can bots scan the source code? (Or do they really scan the source code and it is only me who's got the impression that they scan, not the source code, but the "page" which humans see?)

Specifically, I'm concerned about this: I'm creating a guestbook for my website and I used PHP's mail() function. If someone reads my source code, he can easily obtain my email add and spam-attack me. I know that humans would have to download the PHP file itself (not just display it on their browser and click "View Source). But can bots scourge my code? Also, since I'm implementing a captcha on my website, I signed up for reCaptcha.

At http://recaptcha.net/plugins/php/, item 4 tells me on what code will my private key be used. However, as reCaptcha told me upon giving me my keys, I should keep my private key, well, private. I've been thinking on directly typing the code template of item 4 into the "processor" page of my forms but won't that expose my private key?

What should I do to secure myself?

Advance thanks to anyone who can enlighten me on this.
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Re: Can bots scan code?

Post by greyhoundcode »

Generally, depending on how your server is configured, it is not possible for bots or anyone else to view the contents of a .php file, only the output.

Code: Select all

 $im = imagecreatefrompng("image.png");
 
header('Content-type: image/png');
 
imagepng($im);
imagedestroy($im); 
In the case of the script above for instance it should not be possible for bots or visitors to see the underlying PHP code, only the image. Of course, if you start using file extensions such as .inc then you might want to be a bit more careful and check all the settings, etc.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can bots scan code?

Post by kaisellgren »

Bots read the HTML source code. They can't access your PHP source code (unless there's a security hole in your system), if that's what you asked. So, emails in the HTML/CSS/JavaScript (or any other client-side language) are visible to bots, but not the ones that are on server-side languages such as PHP.
Post Reply