Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a PHP file ever be read externally? [closed]

Tags:

security

php

Is it possible for someone to 'hack' an apache server and read PHP files. I understand that PHP is a server-side language and cannot be read from anywhere other than the server, but could someone hack the server and read them as if reading a text file?

like image 885
Joey Morani Avatar asked Jan 04 '12 22:01

Joey Morani


People also ask

Can anyone see my PHP code?

With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.

How do I protect PHP files from direct access?

The best way to prevent direct access to files is to place them outside of the web-server document root (usually, one level above). You can still include them, but there is no possibility of someone accessing them through an http request.

Can PHP be used offline?

No. PHP code must be processed by a PHP engine, and the easiest way to do so in a web environment is to use a web server.

Can PHP source be viewed?

PHP is a server-side programming language, meaning it is executed at the web server before the website is sent to the end-user. This is why you can't see the PHP code when you view the source code.


5 Answers

Well yes, if they ever actually hack into the server (SSH, FTP etc.), they may have access to files on the hard disk. A properly configured Apache server will not serve raw PHP files though, it should always process them with the PHP interpreter first.

To avoid problems with misconfigured Apache servers though (even just temporary glitches), it's advisable to keep the application files outside the public webroot. Put only a small bootstrap PHP file into the webroot which may be exposed in a pinch, but which just includes other PHP files which are not publicly accessible.

like image 186
deceze Avatar answered Sep 29 '22 17:09

deceze


There are several options for someone to be able to read the PHP source files on a server.

  1. Think about a misconfiguration of the server
  2. A hack of the server
  3. Not opening the PHP file with <?php
  4. Temporary / backup files (Think index.php~ or index.php.bak)
  5. etc.

I understand that PHP is a server-side language and cannot be read from anywhere other than the server

That only means the files are processed on the server side. It doesn't mean the source is bound to the server in some way.

like image 33
PeeHaa Avatar answered Sep 29 '22 17:09

PeeHaa


NASA can be hacked. The FBI can be hacked. Your shared server can definitely be hacked.

like image 37
Martin Bean Avatar answered Sep 30 '22 17:09

Martin Bean


Yes, of course they could - if the server is penetrated then any file on it is visible.

like image 42
Alnitak Avatar answered Sep 29 '22 17:09

Alnitak


This often happens when there is an apache misconfiguration. If you accidentally remove the extension handler for php files, they will be returned as plain text (happened to facebook years ago). For this reason, its best to only have a bootstrap file in your docroot (eg. index.php - <?php include '../private/not-in-docroot/file.php' ?>). So if php files aren't handled properly, only your bootstrap code will be public - app logic and configuration files will be safe.

tl;dr - Keep your code out of the docroot, only expose a bootstrap file

like image 37
John Himmelman Avatar answered Sep 30 '22 17:09

John Himmelman