I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".
AstroCB
12.2k20 gold badges57 silver badges71 bronze badges
asked Oct 13, 2009 at 23:02
No, unless
- There is a server misconfiguration
- There is a bad echo/include somewhere
answered Oct 13, 2009 at 23:04
Daniel A. WhiteDaniel A. White
183k45 gold badges360 silver badges434 bronze badges
1
No. Unless you're echoing it to them under where you're actually using it.
answered Oct 13, 2009 at 23:03
Use includes from below or outside the www served directory. [can't +1 yet.. for Frankie]
Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes [or misconfiguration] and can explicitly be disabled in httpd.conf.
If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find. Consider:
fopen['reports/' . $_GET['blah']];
where the user passes in '../index.php'
answered Oct 13, 2009 at 23:37
Daren SchwenkeDaren Schwenke
5,3383 gold badges27 silver badges34 bronze badges
No, but you should take all measures to prevent it.
You should always set your sensitive code [heck, why not all?] in a directory bellow your server working dir [say /www], that way if the server gets messed up, it wont be able to show your code to the world because that code will be included by php that is not working in the first place.
answered Oct 13, 2009 at 23:24
FrankieFrankie
24.2k10 gold badges79 silver badges119 bronze badges
If you have your webserver set to serve instead of parse your php yes. But then the clients wouldn't work. So the barring any security holes, answer is no.
answered Oct 13, 2009 at 23:05
Byron WhitlockByron Whitlock
51.7k28 gold badges119 silver badges167 bronze badges
No. Assuming you've installed a L/UAMP server properly, or aren't printing out [echo, print_r, etc.] and of the guts of your code, the PHP will be processed and the logic or HTML it's meant to output will be used on the page, not visible.
N.B. If there isn't an 'index' in a directory or a proper .htacess file, an Apache server will show a list of files in the directory, which can be downloaded and reviewed.
answered Oct 14, 2009 at 4:13
1
One mistake for it to happen is to paste a php tag inside a php string, example:
$string = "This is the answer: ";
echo $string;
The person did a Ctrl+C and Ctrl+V of something that should be printed along the string, but the coder forgot to remove the php tags by distraction.
answered Apr 3, 2013 at 2:48
Sergio AbreuSergio Abreu
2,46724 silver badges20 bronze badges