How do i prevent php files from being downloaded "illegally" like through the browser. And what are some ways someone can use to download the php files?
views:
109answers:
2
Q:
How to prevent PHP files from being downloaded? And what are some ways someone can download them?
+3
A:
Under normal circumstances, nobody is able to download PHP source code, since it is executed on the server. The webserver recognizes PHP scripts and passes them to PHP. The result is then passed back to the browser of the requesting user. The situation you described can only be achieved, if the webserver configuration is really messed up.
elusive
2010-09-13 18:58:44
Would +1 if I had votes left - this is probably everything there is to say, there probably is no problem at all
Pekka
2010-09-13 19:06:55
"Under normal circumstances" - an additional [safe guard](http://en.wikipedia.org/wiki/Defense_in_depth_(computing)) is always useful in case something *really* goes wrong. (a car should not crash, but in case of a crash, the driver will have seatbelts and air bags protecting him)
Lekensteyn
2010-09-14 14:59:56
@Lekensteyn: You are right. As i said in the comments to the question, i really like your solution.
elusive
2010-09-14 15:37:36
+4
A:
You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:
<?php
readfile($_GET['file']);
?>
If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:
# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
<FilesMatch "\.(php|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
AddType text/html .php .phtml .phps
AddHandler application/x-httpd-php .php .phtml
AddHandler application/x-httpd-php-source .phps
</IfModule>
Lekensteyn
2010-09-13 18:58:51
Thanks for your response. How do i include this in the php file, just copy and paste it the same way or do i have to do something else? And in other words you are saying no matter what nobody can download the files if the server is secure?
AAA
2010-09-13 19:01:53
@AAA: This has nothing to do with the PHP script itself. It belongs in your apache configuration.
elusive
2010-09-13 19:03:59
@AAA relax. Chances are there is no problem at all. Every normal server configured to parse PHP files will *not* let people download the PHP source code.
Pekka
2010-09-13 19:05:49
@Lekensteyn I only now see and appreciate what your suggestion is doing. *Nice!* The first IfModule would be well suited as the standard .htaccess for any project for total safety
Pekka
2010-09-13 19:12:21
@AAA I don't know that particular product but I assume it is a hosting service or a pre-configured virtual server - it's extremely likely everything is already configured correctly there.
Pekka
2010-09-13 19:13:04
Doesn't adding the .phps handler actually open up the very hole the OP is looking to plug?
Marc B
2010-09-13 20:11:25
@Marc B, files with a .phps extension will be shown anyway. Adding the `application/x-httpd-php-source` handler will just add a nice syntax highlighting to the file.
Lekensteyn
2010-09-14 14:56:25