Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP script protection

Tags:

security

php

apache

I had a terrifying issue a few days ago. I was installing updates on my ubuntu server, which is a hosts for about 10 websites. During the update, something went wrong, and apaches mod_php became disabled. As a result, PHP support was gone, and for a few minutes (until I figured what's wrong) users got an invitation to download PHP scripts, instead of seeing a website. Needless to say, there is nothing worse then exposing your script sources to the whole world, especially when database credentials are kept inside.

The question: How can I configure apache, so this situation would not be possible in the future? What lines should I add to apache2.conf, so that PHP files could not be downloaded, if mod_php is disabled?

like image 829
Silver Light Avatar asked Dec 02 '10 10:12

Silver Light

People also ask

How do I protect my PHP source code?

The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code. You could add an unique watermark to every single copy of your code.

Can you encrypt PHP?

Yes, you can definitely hide/encode/encrypt the php source code and 'others' can install it on their machine.

How do I make my PHP code not readable?

If you'd really want to make it unreadable and inaccessible use APC or OPcache. Set the TTL to 0 and delete all files. Your website is delivered only from the cached files.

2 Answers

Just add the following to the .htaccess in the root directory

php_admin_flag engine on

In this case user will get HTTP 500 error trying to read any file from this dir and below because no module defines php_admin_flag directive in case mod_php is off.

like image 195
Vladislav Rastrusny Avatar answered Oct 22 '22 01:10

Vladislav Rastrusny

A more secure approach would be simply to not put things you don't want accessed in the document root in the first place. See my answer here which provides more detail; the basic idea is, if you don't ever want a file accessed via URL, don't put the damn file in a URL accessible place. 99% of your app code should not be under the document root; then it doesn't really matter what you do to your apache/php setup, you're still safe.

like image 25
El Yobo Avatar answered Oct 22 '22 02:10

El Yobo
Sign in to Comment

Related questions

MySQL String Function equivalent to PHP ucwords() function [duplicate]
PHP explode and set to empty string the missing pieces
How to remove the first & last slash from a url if it's exists?
php / mysql / javascript mindate and maxdate
Zend Form: How to pass parameters into the constructor?
Programmatically installing & activating Wordpress plugins
alter multiple mysql databases at once (SAAS database changes)
Load Javascript array with MYSQL database data
Is destructor in PHP predictable?
PHP: prevent folder hacking - if path has ../ in it?
Sanitize contact form without mysql_real_escape_string
$_GET is empty when the url has variables
Drupal form submit, form after_build
php date format
php: When to use abstract and interface class?
php get the KB size of an image
PHP's `preg_match_all` functionality in Java
Need Time-Efficient Method of Importing Large CSV File Via PHP Into Multiple MySQL Tables
How to handle this error caused by uploading a problematic JPEG?
Regexp to detect call time pass by references in PHP source code

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!