When saving via FTP, server briefly triggers "save as" for PHP file, shows code

[cleszczak]

I'm new to PHP and I'm worried about any security issues there might be.  When I noticed this I was very reluctant to use plain text passwords (such as the one needed to access the MySQL database).  I'm not sure what is causing this to happen so forgive me if I don't provide enough details

 

Versions:

Ubuntu Server 10.04.1 LTS; Apache2; PHP Version 5.3.2-1ubuntu4.5

 

I use a program on my laptop to create a virtual drive for the files that are stored on my server.  It uses FTP to connect to the server and load/save files.  This is what happens when I edit my PHP files:

• Make changes to PHP file
  
• Save file (saves directly to server)
  
• Reload PHP file in web browser on local machine
  
• Browser shows "save as" dialog (only happens for a couple seconds, see below)
  

 

If I save the page and open it, I can read all the code in the file including whats between the <?php and ?> tags.  I have done this from two seperate computers.  One was connected to the local network, the other was on a different internet connection.  I got the same result when refreshing the page from both computers and was able to save and view the source.  However, it only happens when I reload the page immediately after saving.  If I wait a few seconds and then reload the page it loads like a normal PHP file.  I like PHP much better than CGI and do not want to go back to using perl just because of this.

[cleszczak]

I've been picking at the issue for a bit and came up with some new information that might help resolve this issue.

 

I've noticed that when saving with the text editor I normally use (on the local machine), it deletes the file and creates a new one instead of just overwriting it.  I've tried a different text editor and the alternative editor did overwrite the file instead of deleting it and creating a new one.  Coincidentally, the browser stopped showing the "save as" dialog when reloading the PHP page right after a save with the alternative editor. 

 

I have also ran about 10-15 'ls -al' commands on the server within a 3-4 second period right after saving the file with both editors.  I've noticed that the file being saved is gone from the server for a few seconds when saving with my normal editor.  When saving with the alternative editor the file is always displayed with the 'ls -al' command.  I ran about 5 of these tests with each editor and got the same results.

[Pikachu2000]

It isn't real clear what your actual problem is. Are you saying you can view the php code in your web browser? Explain as clearly and concisely as you can what's happening.

[cleszczak]

I have a PHP file located on my server opened for editing in my text editor that I am using on my local machine.  When I save the file to the server through the text editor (file saves directly to the server via FTP) and try to load the PHP file in any web browser (from any machine/internet connection) right after the save (within a few seconds) the browser asks me if I want to open it with a text editor or save it to the computer.  If I open the file or save it, I get access to the full source, including code between the php tags <?php ... ?>  However, if I wait more than 5 seconds after I save the PHP file with the text editor, the server returns the page to the browser like normal (PHP code executed and not displayed in the page).

 

I have noticed that this doesn't occur when I use a different text editor to change and save the PHP file.

[Doug G]

Maybe your editor program is adding a file extension like the way notepad on windows adds .txt to a filename.

[Pikachu2000]

If that was the case, a 404 should be generated until the file is properly renamed, or the old file should be served.

[Pikachu2000]

It does sound like an issue with the editor, though.

[cleszczak]

The editor was renaming the file to make a backup then saving the altered version as a new file.  I changed the backup settings and everything is working normal now, marking as solved. 

 

Thanks for taking your time to help