tags:

views:

61

answers:

2
+2  Q: 

Security of PHP script, embedded or otherwise

Hi all, I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?

+2  A: 

One simple thing you can do to guard against a simple server mis-configuration is to have the HTML file include a PHP file which is outside of the document root (at or above the level of the document root, usually "htdocs"). That way if there was a brief misconfiguration all the user would get would be the path to the included file, but they would not be able to load that included file directly in their browser.

Devin Ceartas  2010-04-20 22:35:28
+3  A: 

what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script?

Security holes aside, this typically happens when someone's messing with the server or migrating the site across servers and the PHP files have been dumped into a folder that's not set up to execute PHP. This is the price you pay for PHP deployment being as simple as dropping files into a folder.

Whilst it's never ideal to leak PHP source, you can mitigate the situation by putting all your sensitive deployment information (like database passwords) in a PHP include file that lives outside the web root (the folder mapped to the / URL, often known as htdocs). It's much harder to screw up the configuration to leak that.

(For larger, more modular projects you will typically be doing the bulk of your processing work in includes anyway.)

bobince  2010-04-20 22:40:41
I'm new to PHP, how would I then access those scripts from within my webpages code?
Grue  2010-04-20 22:57:57
This is essentially identical to my recommendation. You just use "include" on "include_once" and give the relative or absolute path to the file.
Devin Ceartas  2010-04-21 02:04:46
@bobince, thanks for the reply, I will make sure my important scripts are not in the htdocs folder. In other reading I have also found a lot of people encrypt their PHP, can you recommend any tools and tactics for doing this properly?
typoknig  2010-04-21 03:35:49
I'm not a big fan of PHP encryption myself, as it's more overhead, defeats optimisation and makes debugging a pain. Many PHP encyption schemes are only meant for trivial obfuscation; to make it actually secure in the case of a leak you would have to put a key for decrypting the body of the file in an include file (again) outside the webroot.
bobince  2010-04-21 06:12:06
Agreed. I've never used code encryption. If it is that important there is probably a better way to do it. For example, I've built an ecommerce server which provides SaaS to my PHP via REST, seperating critical functions like storing CC #s on a seperate machine.
Devin Ceartas  2010-04-21 12:43:06

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?