.php files - permissions are set public readable - so can public get to see actual raw file?

Re: .php files - permissions are set public readable - so can public get to see actual raw file?

On Wed, 26 Jan 2005 00:13:25 -0000, "Dave Smithz" <SPAM FREE WORLD> wrote:
[color=blue]
>As a newbie to PHP is it in anyway possible for a casual web surfer to
>actually get to see the PHP behind my .php file.[/color]

Not unless your server is badly misconfigured.
[color=blue]
>E.g.
>
>if index.php contained PHP code to check if the page had been called with a
>variable such as "password", is there anyway a public member can get to see
>the raw php file and therefore see what the password is?
>
>index.php might be:
>
>if ($_REQUEST[password]="secret") {[color=green]
> >Then show one page[/color]
>else[color=green]
> >show another page[/color]
>}
>
>So if a user visits with
>index.php?pass word=secret
>
>they get to see the secret page.
>But as the index.php has to have file permission set so that anyone can read
>it, I'm worried that the public can just somehow view the file and learn the
>password.[/color]

If the "public" is just people who view through the web server, then no,
unless your server config is broken. That rules out "casual web surfers".

However, people logged into the server itself through shell access, or running
their own PHP code on the same server would likely be able to access
public-readable scripts.

--
Andy Hassall / <andy@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool

Re: .php files - permissions are set public readable - so can public get to see actual raw file?


"Andy Hassall" <andy@andyh.co. uk> wrote in message >[color=blue]
> If the "public" is just people who view through the web server, then no,
> unless your server config is broken. That rules out "casual web surfers".
>
> However, people logged into the server itself through shell access, or[/color]
running[color=blue]
> their own PHP code on the same server would likely be able to access
> public-readable scripts.[/color]

OK, so other users on my server from shared hosting account (like webfusion
or something) would be able to gain access to my raw php files.

So what is ideally a quick and easy way to implement security so that no one
other then the programmers get to see the raw code?
I tried password protected folders, but the problem is that then when we
want the "public" (causal web surfers) to submit information that gets
entered into the DB, they get prompted for username and password.

(See earlier post yesterday titled:
"Maybe easy - securing php files containing DB access passwords etc." )

Any thoughts?

Kind regards

Dave

Re: .php files - permissions are set public readable - so can public get to see actual raw file?

.oO("Dave Smithz" <SPAM FREE WORLD>)
[color=blue]
>OK, so other users on my server from shared hosting account (like webfusion
>or something) would be able to gain access to my raw php files.[/color]

Probably.
[color=blue]
>So what is ideally a quick and easy way to implement security so that no one
>other then the programmers get to see the raw code?[/color]

On many shared hosts there simply is no way, because all PHP scripts run
with the same username. There are ways to run scripts under the username
of their owner, but this has to be configured by the host.

Micha

Re: .php files - permissions are set public readable - so can public get to see actual raw file?

Dave Smithz wrote:[color=blue]
> So what is ideally a quick and easy way to implement security so
> that
> no one other then the programmers get to see the raw code?[/color]

If the webhost supports it, Zend Encoder. Quick, easy, but definetly
not cheap. On the other hand, if there really is something worth
protecting, the price of Zend Encoder is small to pay for the
protection you get.

--
Markku Uttula