Are php source files secure on the server?

[daydreamer]

Hi.

 

I have a php file with database information(mysql IP address and pass) on my web server.

 

Is this file safe? is there any way of people downloading the source of this file (if they browse to it it does not echo anything, but is there a way of just downloading the actual php file)?

 

I know you can use encrypting tools such as ionCube and Zend, but is this needed? (also the loaders for these programs are not used on the hosted server and they are very expensive, so this is not really an option).

 

Thanks.

 

 

[premiso]

No, as long as .php is recognized as a PHP file no one can download the source.

 

However if you want a file to be viewable you name it .phps and this will display the source if the server is configured to do so.

[daydreamer]

fast response.. that was less than 60 seconds!

 

ok cheers

[Mark Baker]

For additional safety, move your included files outside of the htdocs tree as well, and set your path accordingly... that way they can't be 'included' by a remote script which can then dump all the variables defined globally in your includes.

[daydreamer]

the hosting company have given me access to only one folder (because its SSL, they charge per SSL folder). I can create as many folders as I want in this one SSL folder, but anyone can access any of the folders I make.

 

It would not provide any extra security to put the includes in another folder in my situation, would it?

 

Would it be any good to put my includes in another folder, then make an index.php file that redirects with:

header('Location: http://www.home.com/');

 

Will this provide extra security? I think it will just make it more convenient for the users if they get lost.

[revraz]

You can't include a script from another site.

 

For additional safety, move your included files outside of the htdocs tree as well, and set your path accordingly... that way they can't be 'included' by a remote script which can then dump all the variables defined globally in your includes.

[Mark Baker]

For additional safety, move your included files outside of the htdocs tree as well, and set your path accordingly... that way they can't be 'included' by a remote script which can then dump all the variables defined globally in your includes.

You can't include a script from another site.

I beg to differ.

The following is perfectly valid.

 

include 'http://www.example.com/file.php?foo=1&bar=2';

 

To quote the manual.

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

 

 

[DarkWater]

You can't include a script from another site.

 

For additional safety, move your included files outside of the htdocs tree as well, and set your path accordingly... that way they can't be 'included' by a remote script which can then dump all the variables defined globally in your includes.

 

Edit: Totally wasn't paying attention to what you were even talking about, my bad.

[PFMaBiSmAd]

Since including a file using a URL does not include the script in that file, it is a bit off topic to what the OP needs.

[trq]

including a remote script will get you the output produced once the script has been parsed by the remote server.

 

Variables and the like are not brought into the local scope.