I have a PHP script that is currently attached to a form actions as a contact form.
Its permissions are 644.
Can people see my script? If they can, what should the permissions be changed to?
Im using hostgator. (cPanel)
07-11-2012, 07:14 AM
people can call your script e.g. blah.com/path/form.php but all they will see is the generated HTML not the PHP code.
07-11-2012, 03:26 PM
I did what firepages described on one of my scripts and all I saw was a blank page. But I had an html page on the site with a link to a php page and I could see the script on that page, so don't put html pages on your site. Also, just using the link in your browser, try to access a folder that has no index.php, if the server gives a directory index, people would be able to access your files directly. You can just put a 'dummy' index.php in the folder or have the server settings changed.
07-11-2012, 03:34 PM
Or disable Indexes options or specify specific ignore files on IndexIgnore in .htaccess or httpd.conf.
At the end of the day, so long as your PHP processor is working you will not see source PHP code when accessed through a web interface. You will see the parsed HTML result, and this is the case always unless its served through the filesystem. Filesystem permissions are only applicable at filesystem level, so 644 is perfectly fine, but won't help if the owner account is compromised. Although I will suggest that execute privilege be off on all files.
07-11-2012, 03:47 PM
Although, you can force your browser to download a link/url rather then process it, so that won't really secure code... only real way to do that is to either make it so your files are inaccessable (force all files though a central processing file, using htaccess to redirect all files to a controller) or to encode your code.
07-11-2012, 05:26 PM
Can you show me a demonstration of force downloading a PHP page from the client end that results in a non-parsed output?
07-11-2012, 05:42 PM
I can't remember the keyboard combination atm, though I frequently accidentally downloaded pages from a site rather then visiting them, but just right clicking on a link to a PHP page and clicking "Save link as" or "Save Target As" downloads the file rather then going to it.
07-11-2012, 06:12 PM
That should still be served by your webserver. So long as the processing engine is working properly, then the result should be the parsed results, not the script code.
PHP would have been long abandoned if you could simply save the script. There would be no need to provide database connection details since they may as well be publicly accessible.
07-11-2012, 06:38 PM
Yah, you're right that the save as is the parsed code, I was wrong there. But I will look at how I downloaded it in the past. Its possible it was a bug in a previous version of firefox, but I know I've gotten unparsed code in the past through a keyboard combination and click.
07-11-2012, 06:45 PM
Client shouldn't have any permissions on a filesystem to access a file directly, so I wouldn't expect this to be a bug in a browser. I wouldn't rule out a bug in Apache though effectively bypassing the interpreter (although I'm not really too concerned at this error either; I don't recall seeing any bug reports of this nature although I don't actually pay that much attention to apache ones).
That said, one of the more common causes is simply using force download in apache settings for unknown types, and providing no parser for the PHP. That will result in plain text download as the source.
07-11-2012, 08:50 PM
Yah, you're right that the save as is the parsed code, I was wrong there. But I will look at how I downloaded it in the past. Its possible it was a bug in a previous version of firefox, but I know I've gotten unparsed code in the past through a keyboard combination and click.What you may have done is use the Flashgot downloader with Firefox. The version I have has three applications it calls, one is cURL, which can do that kind of stuff.
07-11-2012, 09:05 PM
The only way to get the source is at a level from the filesystem. Protocols that use http including curl would result in the parsed results.
07-12-2012, 12:41 AM
as Fou-Lu says unless your webserver is mis-configured you cant get PHP source no matter what application or incantations you use assuming you are calling via http/https
what may have happened to Keleth is there was a fad for using .inc files (or other non-php extensions) instead of simply naming the file .php , if the webserver was not specifically configured to parse .inc as application/x-httpd-php etc then you could view the source of such a file in all its naked glory assuming you knew where it was on the filesystem.