Displaying source code...

[cgm225]

I have a personal website, and I have put a lot of time in on the code.  However, now I want to make the code viewable so other people can learn from it.

 

Is there a good way for displaying php source code online?  I vaguely remember seeing a phps (?) file somewhere with an s added to the end, and that outputting the source code? 

 

Also, I realize that displaying my code could leave me vulnerable to attacks.  Do you think that should preclude me from providing my source code to the public?

 

Thanks again...  just looking for people's thoughts and ideas...

 

 

[revraz]

Totally up to you, but one way would be to just name it filename.txt unless you want it color coded.

[obsidian]

Well, there are a couple options. If you want your server to not parse the code, just change the extension to one that is not recognized as PHP, but if you are wanting to actually display the contents of a file as code, try looking at the highlight_file() and highlight_string() methods.

[cgm225]

Ok, so I want to go with the highlight_file('$filename') function.  I would like to use it with the GET function where I GET the name of a file (i.e. $filename) and insert it into the function.  However, simply doing that would allow someone to just insert a sensitive filename into the address bar and see the source (like a password.php).  Therefore, I was thinking about creating a "white-list" of filenames that I can check the GET filename against.  IF the filename is present in the white-list, then I will display the source code.

 

How would you go about coding this white-list?  Would you use an array for it?  Or would you do something completely differently?

 

Thanks again!

[joquius]

how about just parsing php as php-source in one "source" directory?

[Adam]

yeah just loop thru the array checking for a match...

 

<?php

$allowedFiles[0] = "example1.php";
$allowedFiles[1] = "example2.php";
$allowedFiles[2] = "example3.php";
$allowedFiles[3] = "example4.php";

foreach($allowedFiles as $val) {
   if ($_GET['fileToShow'] == $val) {
       highlight_file($val);
   }
}

?>

 

Not tested but should work...

[cgm225]

$allowedFiles[0] = "example1.php"  is returning example1php  (notice the lost period).  Do I need to escape the periods?

[thebadbad]

You can also use an in_array(). Dunno why the dot disappeared - it certainly shouldn't.

 

<?php
$allowed = array(
'example1.php',
'example2.php'
);
if (in_array($_GET['filename'], $allowed)) {
highlight_file($_GET['filename']);
} else {
die('You\'re not allowed to view the source of the requested page.');
}
?>

[cgm225]

How does this look?

 

I am being careful about what scripts I post.  Any thoughts on what I have done?  I am currently checking the POST'ed filename value against a list of allowed filenames...

 

Any feedback?

 

Thanks again...

[thebadbad]

That seems like a fine solution. As long as you're taking these security measurements you're mentioning, just go with what suits you.