Security of PHP script, embedded or otherwise

Question

I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as \"webpage.php\") or on a PHP script that ma

Answer 1

One simple thing you can do to guard against a simple server mis-configuration is to have the HTML file include a PHP file which is outside of the document root (at or above the level of the document root, usually "htdocs"). That way if there was a brief misconfiguration all the user would get would be the path to the included file, but they would not be able to load that included file directly in their browser.

Answer 2

what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script?

Security holes aside, this typically happens when someone's messing with the server or migrating the site across servers and the PHP files have been dumped into a folder that's not set up to execute PHP. This is the price you pay for PHP deployment being as simple as dropping files into a folder.

Whilst it's never ideal to leak PHP source, you can mitigate the situation by putting all your sensitive deployment information (like database passwords) in a PHP include file that lives outside the web root (the folder mapped to the / URL, often known as htdocs). It's much harder to screw up the configuration to leak that.

(For larger, more modular projects you will typically be doing the bulk of your processing work in includes anyway.)