cbassett01 Posted June 29, 2011 Share Posted June 29, 2011 I know that PHP scripts are run on the server side, and not the client side, but I just wanted to clarify something... I've been working with PHP, MySQL and Apache now for some time, but now am doing my first "real world" project that will be in a production environment. The project is relatively small and basic compared to many other sites (just uses simply login/permissions systems to control access to various pages). Anyway, my concern is if there is a way that a visitor could possibly view the source code of a PHP file? In particular, PHP files that contain connection information for connecting to MySQL databases (as in, passwords, user names, etc). My reason for this concern is that I have about 3 or 4 PHP script files that contain connection information (each with varying MySQL permission levels), and I don't want someone to be able to figure out the passwords for each of the SQL users I have set up for accessing the database and it's tables... My passwords are quite secure (in their make-up), but obviously if someone can view the password, it doesn't really matter how good it is because someome has seen it. So, how can I protect my pages from viewing by people other than me (or is this not really an issue)? Quote Link to comment https://forums.phpfreaks.com/topic/240673-can-a-visitor-see-a-php-scripts-source/ Share on other sites More sharing options...
btherl Posted June 29, 2011 Share Posted June 29, 2011 The short answer is "No they can't, if your site is setup correctly". The long answer is there are many ways you could accidentally give access to your source code. But as a general rule, if you type the script name into the browser and the script gets executed instead of displayed, it's not likely that the source code can be accessed. You should pay particular attention to any code which allows users to download or view files stored on the server, and make sure that code can not allow access to your scripts, even if filenames like "../../index.php" are given. Another good general rule is to store your login credentials in a seperate directory not under the webroot, and use include() to access them from php. This further reduces the likelihood of the credentials being exposed. Quote Link to comment https://forums.phpfreaks.com/topic/240673-can-a-visitor-see-a-php-scripts-source/#findComment-1236143 Share on other sites More sharing options...
Andrew777 Posted July 3, 2011 Share Posted July 3, 2011 Also, I like to block external access to directories using .htaccess files (like in the "includes" directory where you keep your db connection file and functions files) to further help security. Quote Link to comment https://forums.phpfreaks.com/topic/240673-can-a-visitor-see-a-php-scripts-source/#findComment-1238014 Share on other sites More sharing options...
vicdesigns Posted July 4, 2011 Share Posted July 4, 2011 You can just put a blank index.html file in there which will stop the files from being viewed in public. Quote Link to comment https://forums.phpfreaks.com/topic/240673-can-a-visitor-see-a-php-scripts-source/#findComment-1238043 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.