Is there any way to view PHP code (the actual code not the compiled result) from a client machine?

Question

This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine. My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.

Is this a legitimate concern? If so how do people go about preventing this?

Answer 1

Not if your server is configured right. I think discussion on how that is done belongs on serverfault.

Answer 2

This depends on the file extension you have given the include file.

If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.

If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.

Answer 3

To add on to the other answers:

If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?

The most important advice is missing:

Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.

For example

root
  - webroot
  - includes
  - config

Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).

Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.

Answer 4

IF you have firefox, then you can use FirePHP to view and correct the mistakes?

Please see if this works in your case

Answer 5

A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.

Answer 6

Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.

Answer 7

Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:

Order allow,deny
Deny from all

This apparently protects the directory so that only local non web-access is possible. This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.

Does anyone else use this method?

Just for good measure I've put the directory permissions to execute only. And the include extension is PHP as suggested by others.