Reputation: 117
How to avoid malicious use of download attribute?
For example, using Developer tools in Chrome, it is possible to change the target of any link on a page to index.php and add download attribute to that link. Then just clicking that link, download of index.php is executed - providing, that index.php exists on the website, and in the same directory as the page I am on. Taking into account the broad use of PHP in the world (over 80% of websites), I guess that every second website contains index.php. In fact, I tried and downloaded a few files from random websites - owners do not know, but they are lucky that I do not intend to misuse their data. In almost every case of the successfully downloaded index.php, I also figured out a way to find credentials to their MySQL database (if that was in use). Now I am doing my website and want to avoid this. How is it done? I buy web hosting and have access to php.ini. Thak you.
Upvotes: 0
Views: 60
Answers (1)
Reputation: 948
Php is executed server side and will never be able to be downloaded or accessible from front facing client side. You may be seeing the index.php code but that will only be showing the HTML, no actual php, So you do not need to worry about this. But obviously make sure that no important information such as usernames or passwords are displayed on your html as that is accessible to everyone, any javascript can also been seen using dev tools.
Upvotes: 3
Related Questions
- How to protect download URLs to be stolen with PHP?
- Prevent Download Via URL
- PHP - Protecting digital Downloads
- How to hide the source of a download on a webpage
- How to go about protecting files from unauthorized downloads
- File download prevention
- Create a personalised download link
- Protecting Purchasable Download Links
- downloading security related problem in php
- How to not allow users(or hackers) to download a file directly from web server?