Securing PHP scripts.

**Dana Cartwright** · May 4 '06, 02:45 AM

Re: Securing PHP scripts.

<techjohnny@gma il.com> wrote in message
news:1146702356 .443577.31560@v 46g2000cwv.goog legroups.com...[color=blue]
> Hello:
>
> I have a form that processes a script upon submission. The script is
> on the local server, but is accessible through a web browser. I'd like
> the user to be able to submit a form and process the script, but not
> see the contents of the script.
>
> http://www.form.com/form.htm -> submit -> processes
> http://www.form.com/process1.php
>
> I want to be able to store the .php script outside of the Web Root.[/color]

OK, so store it outside, let's say it's called "outside.ph p", and then put
your "http://www.form.com/process1.php" file where it has to be to work, and
make it a single line:

include( '../outside.php' );

(or whatever path is appropriate).

Note that this does not in any way improve your security, which I imagine is
your goal. I'm just suggesting a way to accomplish your stated objective.

-Dana

**techjohnny@gmail.com** · May 4 '06, 03:35 AM

Re: Securing PHP scripts.

Ok, I'm just trying to prevent people from viewing and downloading the
php code. Since some of the form.php is in html, is there an easy way
to convert to complete .php without having to add "echo "line"; " in
each part of the html?

Thanks,

--TJ

**Dana Cartwright** · May 4 '06, 04:15 AM

Re: Securing PHP scripts.

<techjohnny@gma il.com> wrote in message
news:1146712732 .908890.6470@j7 3g2000cwa.googl egroups.com...[color=blue]
> Ok, I'm just trying to prevent people from viewing and downloading the
> php code. Since some of the form.php is in html, is there an easy way
> to convert to complete .php without having to add "echo "line"; " in
> each part of the html?[/color]

Look at the "heredoc" syntax. Pay particular attention to the fact that you
can put PHP variables within the heredoc text.

**tool** · May 4 '06, 11:25 AM

Re: Securing PHP scripts.

In article <G_e6g.6344$TT. 1904@twister.ny roc.rr.com>,
danapub2@weavem aker.com says...[color=blue]
> <techjohnny@gma il.com> wrote in message
> news:1146712732 .908890.6470@j7 3g2000cwa.googl egroups.com...[color=green]
> > Ok, I'm just trying to prevent people from viewing and downloading the
> > php code. Since some of the form.php is in html, is there an easy way
> > to convert to complete .php without having to add "echo "line"; " in
> > each part of the html?[/color]
>
> Look at the "heredoc" syntax. Pay particular attention to the fact that you
> can put PHP variables within the heredoc text.
>
>
>[/color]

how can people look at your php files? looking at your directory with a
browser shouldnt show them. at least not on my server it doesnt. doesnt
all php not inside html just get run by the server not sent to the
browser ?

to have it somewhere else

<FORM ACTION = "myscripts/dothis.php">

Cantyou just have your php code on the htm page call funtions in a file
in that directory?

that shouldnt let anyone get at it I dont think.

perhaps someone would explain if I',m wrong?

**Jerry Stuckle** · May 4 '06, 12:55 PM

Re: Securing PHP scripts.

techjohnny@gmai l.com wrote:[color=blue]
> Hello:
>
> I have a form that processes a script upon submission. The script is
> on the local server, but is accessible through a web browser. I'd like
> the user to be able to submit a form and process the script, but not
> see the contents of the script.
>
> http://www.form.com/form.htm -> submit -> processes
> http://www.form.com/process1.php
>
> I want to be able to store the .php script outside of the Web Root.
>
> How?
>
> Thanks,
>
> --TJ
>[/color]

TJ,

PHP is executed server-side, not client-side. If your host is properly
configured, there is no way anyone can see your PHP code.

If the server is configured improperly, you have a problem. Dana's suggestion
will work in this case - they won't be able to see anything besides the include
statement.

But is it worth the extra hassle and maintenance? I do this for critical files
such as ones containing passwords. But not the every-day files.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**techjohnny@gmail.com** · May 4 '06, 08:05 PM

Re: Securing PHP scripts.

I'm more worried about a Web Crawler that can d/l the PHP scripts if
they're in the DocumentRoot.

Thanks,

--TJ

**an@other.com** · May 5 '06, 11:15 AM

Re: Securing PHP scripts.

In article <1146772365.461 502.208970@i40g 2000cwc.googleg roups.com>,
techjohnny@gmai l.com says...[color=blue]
> I'm more worried about a Web Crawler that can d/l the PHP scripts if
> they're in the DocumentRoot.
>
> Thanks,
>
> --TJ
>
>[/color]

Why?

What can it fo that a browser can't ?

**Jerry Stuckle** · May 5 '06, 12:15 PM

Re: Securing PHP scripts.

techjohnny@gmai l.com wrote:[color=blue]
> I'm more worried about a Web Crawler that can d/l the PHP scripts if
> they're in the DocumentRoot.
>
> Thanks,
>
> --TJ
>[/color]

TJ,

The crawler has to use the same interface the browser does. And it gets exactly
the same information.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Securing PHP scripts.

Securing PHP scripts.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment