For example, using CodeIgniter, and not really dealt with .php files. Are any of the .php files in the directory structure readable? If not why not? Why can't I browse to config.php in my CI directory? Is it just unix file permissions?
Thank you.
+1
A:
I'm going at this from a 'Browser' standpoint. If you want to see the directory standpoint, look at the zombat's answer.
In CodeIgniter specifically, they have probably set up a .htaccess file that directs all of the requests to a single script so they can process it in one script rather than 2 dozen scripts.
Because PHP is a 'server-side' programming language, none of the information in the files ever gets sent to client. This allows yo use any method to produce an HTML page you want, because the client will never see the code. This doubles as a security device.
In most PHP situations, developers will build the libraries and classes into a folder above the Document_Root (Where the website starts), and then simply put in files that run those classes. This allows them to be absolutely sure that there is no chance of a person finding out their document structure, and using that information to download files that could give them information on how to hack the system.
This method also allows people to not care about what language the server runs on. All web pages are created in HTML, so all the server needs to produce is an HTML file. Whether they use Perl, Python, PHP, or another language is completely up to the developers.
Chacha102
2009-08-07 18:55:22
A:
PHP files on a linux/unix system follow the same file permission rules as everything else. If you can't browse to your config.php file, then yes, the user you are logged in as doesn't have the appropriate file permissions.
Generally you want your permissions on a PHP project to be set up so that the uid that your webserver runs under has appropriate permissions to read and execute files within your web structure.
For myself, I generally set up a webdev group on my LAMP systems, and put the apache user into this group. I set all group permissions properly on a PHP file structure so that Apache can do what it needs to do. This way a user can own all their own web files, and the webdev group can be used to control any other accesses to the structure. This alleviates worries on multi-user systems of someone going in and reading the config file to get, say, your database password.
zombat
2009-08-07 19:02:46
+1
A:
Generally, files like config.php do not have any output. Therefore, they can be accessed by the browser, but the user won’t see anything.
Users never see the source code of your .php files, if that’s what you are worried about. Your web server will pass all .php files through the PHP processor; only the output generated by your .php files is ever sent to the user.
If config.php is in the same directory as your other .php files (and it usually is) then there is no Unix file permissions or .htaccess stuff going on. It is simply a file that produces no output.
Nate
2009-08-07 20:22:41
So as long as I have a php processor there's no way to "make" the php files show their source?
johnny
2009-08-07 21:20:18
Correct. The only exception I can think of is if you have `display_errors` or `display_startup_errors ` turned on: it might show the line of code where an error occurs. You usually turn that off for deployment.
Nate
2009-08-08 03:54:58
+1
A:
To answer your question about why you can't browse to your config.php in CodeIgniter, it's not because of Unix permissions nor is it an .htaccess file protecting it.
All CodeIgniter PHP files have a line at the top of the file that checks for a constant "BASEPATH". The constant is only set when you're going through the framework, so when you try to access a file without going through the framework, "BASEPATH" won't be set and the script will exit.
This is CodeIgniter's portable way of securing files since not everyone uses Apache (.htaccess files).
jimyi
2009-08-08 05:30:12