Reputation:
Visibility of scripts on HTTP server
If I have a http server with various HTML pages and various PHP (or other) scripts, then If I try to view the code (as in Chrome's View source tool) then the PHP code is not shown, which is just as well. I want to know how secure from prying eyes is the code? Would a password hardcoded into the script be safe?
Upvotes: 4
Views: 66
Answers (3)
Reputation: 360762
The only time your PHP code could become exposed is if the script somehow becomes treated as "not-PHP" and gets served up as raw text. If your server configuration is correct, then the code is 'safe' from web-based leakage.
That being said, it is best to put critical information that should remain private (usersnames/passwords, config variables, database DSNs, etc...) in a separate file that's kept OUTSIDE of the site's document root. That way, even if PHP becomes corrupted/disabled on the server, all a user would see is
<?php
include('critical_data_here.php');
?>
and not
<?php
$username = 'root';
$password = 'password';
$lotto_ticket_worth_50million = 'under the left couch cushion at 221B Baker Street';
?>
Upvotes: 2
Reputation:
It's never 100% safe to keep passwords, especially on your server.
If you have to keep passwords in script - keep them in files, which placed not in public directory (can not be accessed by user in browser).
Upvotes: 2
Reputation: 50974
<?php
$password = "password";
?>
is save until you've got PHP module loaded.
<span>$password = "password";</span>
is not secure and will not work
Upvotes: 0
Related Questions
- Secure Php execution on server
- How to secure php scripts?
- Protect PHP Scripts from unauthorized access
- How can I restrict / authorize access to PHP script?
- Restrict access to php scripts on my server
- PHP/Javascript security
- PHP file security on webserver
- How to only allow calls to PHP scripts from files on my server?
- PHP script protection
- prevent direct access to a php include