What is visible?

[elmas156]

Hello everyone,

 

I have a general question that I really couldn't find a direct answer to on the web anywhere else.  My question is this:  If I have a page on my site that is strictly php code, such as an include file with database connection code, is that information visible to anyone else out there via the web, or would they actually need to have the php file on their computer and view it in a code editor?  I know that if I use a browser to go to my db_connect.inc.php file, it is simply a blank page with no page source.  Thanks for any help.

[Zephni]

The PHP source is complied on the server, the requests are processed and the HTML is passed back to your browser. The code cannot in anyway be viewed in the browser because it doesn't even reach the browser. Unless you named the PHP file something.txt or some other file type. If your file ends in .php then the server is the only thing that sees the code.

 

(Why have I got a feeling someone is going to come and correct something I have said)

[Jessica]

If your file ends in .php then the server is the only thing that sees the code.

 

As long as php is installed

 

OP, you can put those "private" files in a directory above the public web folder, and still include them. Then you can't even access it in the browser.

[Zephni]

You just had to 

[xyph]

If there's ever an issue with the PHP parser, code might be sent in plain-text.

 

As an extra precaution, many devs put things like MySQL passwords and private encryption keys in a PHP file outside of the web-root. They then include these files, so even if an attacker can read the code, they'll never be able to access the passwords through the web server.

[elmas156]

Thanks... this helps a lot.