Jump to content

can a visitor see a PHP script's source?


cbassett01

Recommended Posts

I know that PHP scripts are run on the server side, and not the client side, but I just wanted to clarify something...

 

I've been working with PHP, MySQL and Apache now for some time, but now am doing my first "real world" project that will be in a production environment.  The project is relatively small and basic compared to many other sites (just uses simply login/permissions systems to control access to various pages).

 

Anyway, my concern is if there is a way that a visitor could possibly view the source code of a PHP file?  In particular, PHP files that contain connection information for connecting to MySQL databases (as in, passwords, user names, etc).

 

My reason for this concern is that I have about 3 or 4 PHP script files that contain connection information (each with varying MySQL permission levels), and I don't want someone to be able to figure out the passwords for each of the SQL users I have set up for accessing the database and it's tables...  My passwords are quite secure (in their make-up), but obviously if someone can view the password, it doesn't really matter how good it is because someome has seen it.

 

So, how can I protect my pages from viewing by people other than me (or is this not really an issue)?

 

Link to comment
https://forums.phpfreaks.com/topic/240673-can-a-visitor-see-a-php-scripts-source/
Share on other sites

The short answer is "No they can't, if your site is setup correctly".

 

The long answer is there are many ways you could accidentally give access to your source code.  But as a general rule, if you type the script name into the browser and the script gets executed instead of displayed, it's not likely that the source code can be accessed.  You should pay particular attention to any code which allows users to download or view files stored on the server, and make sure that code can not allow access to your scripts, even if filenames like "../../index.php" are given.

 

Another good general rule is to store your login credentials in a seperate directory not under the webroot, and use include() to access them from php.  This further reduces the likelihood of the credentials being exposed.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.