Securing PHP scripts.

Hello:

I have a form that processes a script upon submission. The script is
on the local server, but is accessible through a web browser. I'd like
the user to be able to submit a form and process the script, but not
see the contents of the script.

http://www.form.com/form.htm -> submit -> processes
http://www.form.com/process1.php

I want to be able to store the .php script outside of the Web Root.

How?

Thanks,

--TJ

re: Securing PHP scripts.

<techjohnny@gmail.com> wrote in message
news:1146702356.443577.31560@v46g2000cwv.googlegro ups.com...[color=blue]
> Hello:
>
> I have a form that processes a script upon submission. The script is
> on the local server, but is accessible through a web browser. I'd like
> the user to be able to submit a form and process the script, but not
> see the contents of the script.
>
> http://www.form.com/form.htm -> submit -> processes
> http://www.form.com/process1.php
>
> I want to be able to store the .php script outside of the Web Root.[/color]

OK, so store it outside, let's say it's called "outside.php", and then put
your "http://www.form.com/process1.php" file where it has to be to work, and
make it a single line:

include( '../outside.php' );

(or whatever path is appropriate).

Note that this does not in any way improve your security, which I imagine is
your goal. I'm just suggesting a way to accomplish your stated objective.

-Dana

re: Securing PHP scripts.

Ok, I'm just trying to prevent people from viewing and downloading the
php code. Since some of the form.php is in html, is there an easy way
to convert to complete .php without having to add "echo "line"; " in
each part of the html?

Thanks,

--TJ

re: Securing PHP scripts.

<techjohnny@gmail.com> wrote in message
news:1146712732.908890.6470@j73g2000cwa.googlegrou ps.com...[color=blue]
> Ok, I'm just trying to prevent people from viewing and downloading the
> php code. Since some of the form.php is in html, is there an easy way
> to convert to complete .php without having to add "echo "line"; " in
> each part of the html?[/color]

Look at the "heredoc" syntax. Pay particular attention to the fact that you
can put PHP variables within the heredoc text.

re: Securing PHP scripts.

In article <G_e6g.6344$TT.1904@twister.nyroc.rr.com>,
danapub2@weavemaker.com says...[color=blue]
> <techjohnny@gmail.com> wrote in message
> news:1146712732.908890.6470@j73g2000cwa.googlegrou ps.com...[color=green]
> > Ok, I'm just trying to prevent people from viewing and downloading the
> > php code. Since some of the form.php is in html, is there an easy way
> > to convert to complete .php without having to add "echo "line"; " in
> > each part of the html?[/color]
>
> Look at the "heredoc" syntax. Pay particular attention to the fact that you
> can put PHP variables within the heredoc text.
>
>
>[/color]

how can people look at your php files? looking at your directory with a
browser shouldnt show them. at least not on my server it doesnt. doesnt
all php not inside html just get run by the server not sent to the
browser ?

to have it somewhere else

<FORM ACTION = "myscripts/dothis.php">

Cantyou just have your php code on the htm page call funtions in a file
in that directory?

that shouldnt let anyone get at it I dont think.

perhaps someone would explain if I',m wrong?

re: Securing PHP scripts.

techjohnny@gmail.com wrote:[color=blue]
> Hello:
>
> I have a form that processes a script upon submission. The script is
> on the local server, but is accessible through a web browser. I'd like
> the user to be able to submit a form and process the script, but not
> see the contents of the script.
>
> http://www.form.com/form.htm -> submit -> processes
> http://www.form.com/process1.php
>
> I want to be able to store the .php script outside of the Web Root.
>
> How?
>
> Thanks,
>
> --TJ
>[/color]

TJ,

PHP is executed server-side, not client-side. If your host is properly
configured, there is no way anyone can see your PHP code.

If the server is configured improperly, you have a problem. Dana's suggestion
will work in this case - they won't be able to see anything besides the include
statement.

But is it worth the extra hassle and maintenance? I do this for critical files
such as ones containing passwords. But not the every-day files.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

re: Securing PHP scripts.

I'm more worried about a Web Crawler that can d/l the PHP scripts if
they're in the DocumentRoot.

Thanks,

--TJ

re: Securing PHP scripts.

In article <1146772365.461502.208970@i40g2000cwc.googlegroups .com>,
techjohnny@gmail.com says...[color=blue]
> I'm more worried about a Web Crawler that can d/l the PHP scripts if
> they're in the DocumentRoot.
>
> Thanks,
>
> --TJ
>
>[/color]

Why?

What can it fo that a browser can't ?

re: Securing PHP scripts.

techjohnny@gmail.com wrote:[color=blue]
> I'm more worried about a Web Crawler that can d/l the PHP scripts if
> they're in the DocumentRoot.
>
> Thanks,
>
> --TJ
>[/color]

TJ,

The crawler has to use the same interface the browser does. And it gets exactly
the same information.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================