Reputation: 673
How to protect PHP from the public?
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
Upvotes: 1
Views: 315
Answers (5)
Reputation: 7134
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
Upvotes: 2
Reputation: 1859
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
Upvotes: 0
Reputation: 1284
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
Upvotes: 0
Reputation: 5315
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
Upvotes: 0
Reputation: 100
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
Upvotes: 0
Related Questions
- how to secure my website
- Protect my PHP App
- How to hide php from public?
- PHP - Security what is best way?
- How can I restrict / authorize access to PHP script?
- How to secure my PHP webpage from unauthorized Users
- How to secure PHP website (not yet uploaded in the internet)
- Securing my site
- How to protect files from outside?
- How can I protect my PHP code?