Is it possible for someone to 'hack' an apache server and read PHP files. I understand that PHP is a server-side language and cannot be read from anywhere other than the server, but could someone hack the server and read them as if reading a text file?
With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.
The best way to prevent direct access to files is to place them outside of the web-server document root (usually, one level above). You can still include them, but there is no possibility of someone accessing them through an http request.
No. PHP code must be processed by a PHP engine, and the easiest way to do so in a web environment is to use a web server.
PHP is a server-side programming language, meaning it is executed at the web server before the website is sent to the end-user. This is why you can't see the PHP code when you view the source code.
Well yes, if they ever actually hack into the server (SSH, FTP etc.), they may have access to files on the hard disk. A properly configured Apache server will not serve raw PHP files though, it should always process them with the PHP interpreter first.
To avoid problems with misconfigured Apache servers though (even just temporary glitches), it's advisable to keep the application files outside the public webroot. Put only a small bootstrap PHP file into the webroot which may be exposed in a pinch, but which just includes
other PHP files which are not publicly accessible.
There are several options for someone to be able to read the PHP source files on a server.
<?php
index.php~
or index.php.bak
)I understand that PHP is a server-side language and cannot be read from anywhere other than the server
That only means the files are processed on the server side. It doesn't mean the source is bound to the server in some way.
NASA can be hacked. The FBI can be hacked. Your shared server can definitely be hacked.
Yes, of course they could - if the server is penetrated then any file on it is visible.
This often happens when there is an apache misconfiguration. If you accidentally remove the extension handler for php files, they will be returned as plain text (happened to facebook years ago). For this reason, its best to only have a bootstrap file in your docroot (eg. index.php - <?php include '../private/not-in-docroot/file.php' ?>
). So if php files aren't handled properly, only your bootstrap code will be public - app logic and configuration files will be safe.
tl;dr - Keep your code out of the docroot, only expose a bootstrap file
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With