Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Jun 2012
    Posts
    36
    Thanks
    9
    Thanked 1 Time in 1 Post

    File permissions so people can't see my PHP script

    I have a PHP script that is currently attached to a form actions as a contact form.

    Its permissions are 644.

    Can people see my script? If they can, what should the permissions be changed to?

    Im using hostgator. (cPanel)

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,093
    Thanks
    11
    Thanked 101 Times in 99 Posts
    people can call your script e.g. blah.com/path/form.php but all they will see is the generated HTML not the PHP code.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Senior Coder
    Join Date
    Sep 2010
    Posts
    2,182
    Thanks
    15
    Thanked 253 Times in 253 Posts
    I did what firepages described on one of my scripts and all I saw was a blank page. But I had an html page on the site with a link to a php page and I could see the script on that page, so don't put html pages on your site. Also, just using the link in your browser, try to access a folder that has no index.php, if the server gives a directory index, people would be able to access your files directly. You can just put a 'dummy' index.php in the folder or have the server settings changed.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Or disable Indexes options or specify specific ignore files on IndexIgnore in .htaccess or httpd.conf.

    At the end of the day, so long as your PHP processor is working you will not see source PHP code when accessed through a web interface. You will see the parsed HTML result, and this is the case always unless its served through the filesystem. Filesystem permissions are only applicable at filesystem level, so 644 is perfectly fine, but won't help if the owner account is compromised. Although I will suggest that execute privilege be off on all files.

  • #5
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,537
    Thanks
    45
    Thanked 259 Times in 256 Posts
    Although, you can force your browser to download a link/url rather then process it, so that won't really secure code... only real way to do that is to either make it so your files are inaccessable (force all files though a central processing file, using htaccess to redirect all files to a controller) or to encode your code.

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Can you show me a demonstration of force downloading a PHP page from the client end that results in a non-parsed output?

  • #7
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,537
    Thanks
    45
    Thanked 259 Times in 256 Posts
    I can't remember the keyboard combination atm, though I frequently accidentally downloaded pages from a site rather then visiting them, but just right clicking on a link to a PHP page and clicking "Save link as" or "Save Target As" downloads the file rather then going to it.

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    That should still be served by your webserver. So long as the processing engine is working properly, then the result should be the parsed results, not the script code.
    PHP would have been long abandoned if you could simply save the script. There would be no need to provide database connection details since they may as well be publicly accessible.

  • #9
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,537
    Thanks
    45
    Thanked 259 Times in 256 Posts
    Yah, you're right that the save as is the parsed code, I was wrong there. But I will look at how I downloaded it in the past. Its possible it was a bug in a previous version of firefox, but I know I've gotten unparsed code in the past through a keyboard combination and click.

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Client shouldn't have any permissions on a filesystem to access a file directly, so I wouldn't expect this to be a bug in a browser. I wouldn't rule out a bug in Apache though effectively bypassing the interpreter (although I'm not really too concerned at this error either; I don't recall seeing any bug reports of this nature although I don't actually pay that much attention to apache ones).
    That said, one of the more common causes is simply using force download in apache settings for unknown types, and providing no parser for the PHP. That will result in plain text download as the source.

  • #11
    Senior Coder
    Join Date
    Sep 2010
    Posts
    2,182
    Thanks
    15
    Thanked 253 Times in 253 Posts
    Quote Originally Posted by Keleth View Post
    Yah, you're right that the save as is the parsed code, I was wrong there. But I will look at how I downloaded it in the past. Its possible it was a bug in a previous version of firefox, but I know I've gotten unparsed code in the past through a keyboard combination and click.
    What you may have done is use the Flashgot downloader with Firefox. The version I have has three applications it calls, one is cURL, which can do that kind of stuff.

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    The only way to get the source is at a level from the filesystem. Protocols that use http including curl would result in the parsed results.

  • #13
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,093
    Thanks
    11
    Thanked 101 Times in 99 Posts
    as Fou-Lu says unless your webserver is mis-configured you cant get PHP source no matter what application or incantations you use assuming you are calling via http/https

    what may have happened to Keleth is there was a fad for using .inc files (or other non-php extensions) instead of simply naming the file .php , if the webserver was not specifically configured to parse .inc as application/x-httpd-php etc then you could view the source of such a file in all its naked glory assuming you knew where it was on the filesystem.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •