tags:

views:

96

answers:

7
+1  Q: 

PHP getting the PHP file

Is there any way to get the source file of PHP like you would for HTML file or javascript from web browser alone? If so how? If not why?

A: 

Only if the web server happens to fail. Otherwise no, because all code is executed on server and only it's result are being send to browser.

Mchl  2010-07-28 19:20:18
+2  A: 

No, this is not possible. Server-side languages are meant to be interpreted and run before the output is sent to the browser.

Jacob Relkin  2010-07-28 19:20:26
It is possible, just not easy.
Rook  2010-07-28 19:23:05
Right... when the server fails, the entire text will be printed on the web browser correct? So how does PHP script get interpreted?
denniss  2010-07-28 19:23:14
Yeah, but this is dependent on bad server-side code, not the actions of the client. It's impossible to retrieve the server-side code on demand.
Jacob Relkin  2010-07-28 19:26:00
@Jacob Relkin you can if you are running an old version of IIS or tomcat.
Rook  2010-07-28 19:36:17
+2  A: 

Of course. But only if the web server is configured to return just the file and not interpret it first. Most web servers hosting PHP files aren't configured this way.

David  2010-07-28 19:21:04
+1  A: 

You need to find a remote file disclosure vulnerability like this one. These most often occur in the application its self and can be detected by using a web application vulnerability scanner like w3af.

MySQL based sql injection can be used to read files using the load_file() function as described here.

It is possilbe that the httpd can be vulnerable to a source code disclosure attack, such as this one in IIS.

Rook  2010-07-28 19:21:12
A: 

No, it would pose a massive security risk with MySQL passwords and other sensitive data.

esqew  2010-07-28 19:21:16
yea... that's why I am worried.
denniss  2010-07-28 19:25:12
You put the passwords *in* your code? That in itself is a massive security risk. Put it/them in a config file, put the file *outside* the web space so there's *no way* the server can send it. Lock the file down with very restrictive permissions. Don't check the file into version control.
Stephen P  2010-07-28 19:38:05
+1  A: 

There is a way to do this - but you have the web server needs to be setup to serve ".phps" as text/plain as I've done to demonstrate code examples from my web server. However, if you're trying to poach code from a website running php it's really not possible. Not from the web browser.

Marco Ceppi  2010-07-28 19:23:43
A:  
<?printf($f='<?printf($f=%c%s%c,39,$f,39);?>',39,$f,39);?>

so, yes.

mvds  2010-07-28 19:26:12
whaaat?? what the heck is `$f` and what is this script supposed to accomplish, and how are you supposed to execute it on a server that isnt yours?
Mark  2010-07-28 19:30:49
Mark, this code prints itself.
iandisme  2010-07-28 19:37:23

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases