In order to get PHP to run I had to enable Includes on Apache webserver. No one can actually see my .php files because when they're fetched by the server they're rendered and the client sees just css/html/whatever. It might just highlight my newness with PHP.
Is it possible for someone to break the PHP-rendering part of my server such that clients would be able to see my .php code when they request a page?
And if this can happen, what are some preventative measures I can take to ensure my commercial code stays closed-source?
Again, this might not even be a real concern, but I'd love to know.
If someone access a php file on your site all they will see is the code output by the PHP script (e.g. any HTML, or Javascript) - they won't see the source for the PHP page itself (and will have no way to access it).
You've written your first PHP program, but when you go to run it, all you see in your browser is the code—the program doesn't actually run. When this happens, the most common cause is that you are trying to run PHP somewhere that doesn't support PHP.
You're just opening your php file into browser. You have to open it using localhost url. if you open a file directly from your directory it will not execute the php code in any case.
Common errors are: editing the wrong file, filling a hard-drive with garbage data, and deleting the content of a file by accident.
As others have said, a misconfigured web server that treats .php files as plain text will happily serve up your source code.
Most frameworks (both public or in-house) these days, however, keep very little php code in a web-accessible area. Typically, there's a single index.php file in the document root, which includes and calls code in other files that are wholly outside the document root.
Usually, you'll have something like this:
/path/to/proj/ <-- your project root
/path/to/proj/application <-- holds most of your appication code
/path/to/proj/lib <-- third-party libraries go here
/path/to/proj/public <-- your web server uses this as the document root.
/path/to/proj/public/index.php <-- single point of entry into your applicaiton. all requests are routed through here.
/path/to/proj/public/images <-- static resources, like images, also live under the docroot.
Rewrite rules are typically used to marshall any requests through the one public index.php file.
With a setup like this, if your webserver were to become misconfigured in a way that would cause it to transmit your code, you'd be pretty much covered. The only leak would be your index.php file, which is probably a couple of include/require statements, and single function/method call. Nothing sensitive at all.
Look at the standard Zend Framework or Symfony (or any framework, really), file layout, for a clearer picture.
There are two ways for this to happen:
To help prevent any of these situations from causing problems:
Do not embed any sensitive information (e.g., passwords) into your source files. Instead, include them from files that live outside the web root. So if your source becomes visible, nobody will be able to access that private data.
Do not display errors on screen in production. A database password could show up in the exception thrown.
Be sure to disable any development/debug settings on production.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With