Is it possible to download php files from the server where they are located? I am a beginner in web area, and I worry that hackers may have special tools to download, see my code and understand where I have programmed vulnerable codes to hack my site.
+7
A:
If the server is properly configured and there are no security holes in the code then no, it's not possible.
If you have something like
echo file_get_contents($_GET['myFile']);
then this could be used to get your code - never do this!
Greg
2009-10-18 09:49:23
A good secure server with have PHP file functionality disabled.
Roland
2009-10-20 07:49:22
+2
A:
It's not possible to directly download the source to your php files which are processed through Apache, unless your web server for whatever reason suddenly broke and stopped serving php files through the php interpreter ( if you were messing around with the settings perhaps and broke it. )
A very skilled cracker would probably be able to infiltrate your web server though, and easily download anything on it, but the chances of this are very, very low. If you're not some big company then who would care to take the time to really hack you?
Another point to make is whenever you're dealing with user input, always sanitize otherwise you'd be susceptible to common XSS attacks ( escape strings, dont rely on PHP_SELF, plenty of other sanitisation that can be done ).
meder
2009-10-18 09:49:32
+3
A:
the configuration of the webserver determined if a file should be parsed to the php parser or not. this is usually based on the file extention. So, files ending on .php would be parsed, and for php source you would use .phps. So .php files, on the webserver to generate dynamic content can't be downloaded as source.
andremo
2009-10-18 09:50:01
A:
Hackers don't need your source code to break into your site. In fact the majority of the vulnerabilities on OWASP top 10 doesn't require source code to exploit: http://www.owasp.org/index.php/Top_10_2007
"Black Box" vulnerabilities scanners like Acunetix (http://www.acunetix.com) Or the open source project Wapiti (http://wapiti.sourceforge.net) can uncover SQL Injection, XSS and Source Code Disclosure vulnerabilities easily. Its a great tool.
Rook
2009-10-20 06:38:17
Seems suspiciously like an ad for acunetix, not sure if reccomending a $1500 tool is the best answer for this guy, maybe I am just grumpy/touchy though.
Collin
2009-10-20 06:40:54
+3
A:
In 9/10 cases the way bad guys can download your php source code is if you keep backup files in the webroot, things like foo.php.bak or foo.php.old or .backup. These are served as plain files by default so be careful of this issue in addition to the above suggestions.
Collin
2009-10-20 06:42:06