How are php files secured

Question

I was wondering how php files are actually secured. How come one can not download a php file, even if the exact location is known?

When I upload a php file to my webserver, lets say to domain.com/files, and I call the domain.com/files page, I can clearly see the php file and its actual size. Downloading the file however leads to an empty file.

The question then is: How does the security mechanism work exactly?

Answer 1

The web server's responsibility is to take the PHP script and hand it to the PHP interpreter, which sends the HTML (or other) output back to the web server.

A mis-configured web server may fail to handle the PHP script properly, and send it down to the requesting browser in its raw form, and that would make it possible to access PHP scripts directly.

Your web hosting may have a mechanism to list the contents of a directory, but the unless it supplies a download mechanism to supply the PHP script with plain text headers (as opposed to HTML) without handing it to the PHP interpreter, it will be executed as PHP rather than served down.

In order to be able to download the raw PHP file, the server would have to do some extra work (possibly via another PHP script) which reads the PHP file from disk and sends its contents down to the browser with plain text headers.

Answer 2

When you request domain.com/files your web server is setup to show all the files in that directory.

When you request the actual php file the web server executes it and outputs the results back to you - not the source code.

Of course, both of the above can be configured. You could switch of directory listing and disable parsing of php files so the actual file contents/source code is output.

Its usually a good practice to switch off directory listing.