发表新帖
发表新帖

PHP source code security on server

前端 未结
关注
8 1762
耶瑟儿~
耶瑟儿~ 2021-01-13 11:57

I am a PHP newbie and a have a php security question. Is it possible for somebody to get the source code of a php script file running on a server with default configuration?

相关标签:
8条回答
  • 眼角桃花
    2021-01-13 12:22

    If the server is properly configured to run PHP code, then people without direct access to the server cannot view the PHP source code. You don't have to do anything else.

    It is only because that server was not configured to run PHP, and instead served it as text, that you could see the source.

    0 讨论(0)
  • 北恋
    2021-01-13 12:23

    For the most sensitive information, I'd suggest putting it outside of your web root folder, and including it through "require" or "include". This way, even is some configuration gets botched on the server, the visitor will only get served the line "include('secret_stuff.php');" and not the actual script.

    0 讨论(0)
  • 陌清茗
    2021-01-13 12:25

    Exactly what David Dorward said but i would advise you take a look at the following patch(s) that would modify apache to not send source code's regards if there is a misconfiguration.

    http://mirror.facebook.net/facebook/patches/ap_source_defense.patch

    Patch like so:

       cd apache-1.3.x
   patch -p1 -i ap_source_defense.patch

    More Patches from Facebook Development Team: http://mirror.facebook.net/facebook/patches/

    The best way to protect your much needed source is to place them outside the public root directory, as if apache is running it will not be able to serve files directly from the folder up public_html

    for example:

    C:/server/apache/
C:/server/apache/htdocs/
C:/server/apache/htdocs/includes/

    People can specifically view the files my going to 

    http://hostname.tld/includes/

    but having the directory structure of:

    C:/server/apache/
C:/server/apache/includes/
C:/server/apache/htdocs/

    and then within

        C:/server/apache/htdocs/index.php

    you have

    <?php
    require_once('../includes/config.php');
?>

    this should protect all major files bar the view file (index.php)

    0 讨论(0)
  • 我在风中等你
    2021-01-13 12:29

    If the server is not configured to handle PHP files, then it will treat them like any other unknown file (and serve them as either text/plain or application/octet-stream.

    PHP support is, as far as I know, always provided as an extension or external program (for CGI, FastCGI, etc) and never as a built in for an HTTP server.

    0 讨论(0)
  • 无人及你
    2021-01-13 12:35

    If you have this line in your apache.httpd.conf file, 

    AddType application/x-httpd-php .php

    Apache should deal with data, rather than showing them...

    Also you need to start php services.

    0 讨论(0)
  • 盖世英雄少女心
    2021-01-13 12:35

    Your second problem are misconfigurations. There's not much you can do, albeit there might(?) be options to construct a rewriterule to prevent accidential accessibility.

    The best prevention however is to keep all scripts outside of the DOCUMENT_ROOT. Just leave a single index.php there, and include all dependencies from there. This is also the best strategy to avoid leaking of configuration data (also don't use ini files for sensitive data, but always .php scripts).

    Another worry are shared hosting servers however. All concurrent users on a server can read out your scripts (if not through PHP then via Perl/bash CGIs). Nothing you can do about that, unless you change to a professional hoster which supports running everthing through suexec and thus allowing individual permissions.

    0 讨论(0)
 看不清?
提交回复
热议问题