Hi there,
As a newbie to PHP is it in anyway possible for a casual web surfer to
actually get to see the PHP behind my .php file.
E.g.
if index.php contained PHP code to check if the page had been called with a
variable such as "password", is there anyway a public member can get to see
the raw php file and therefore see what the password is?
index.php might be:
if ($_REQUEST[password]="secret") { Then show one page
elseshow another page
}
So if a user visits with
index.php?passw ord=secret
they get to see the secret page.
But as the index.php has to have file permission set so that anyone can read
it, I'm worried that the public can just somehow view the file and learn the
password.
Can someone shed any light on this (assuming it makes sense).
Kind regards
Dave. 4 1729
On Wed, 26 Jan 2005 00:13:25 -0000, "Dave Smithz" <SPAM FREE WORLD> wrote: As a newbie to PHP is it in anyway possible for a casual web surfer to actually get to see the PHP behind my .php file.
Not unless your server is badly misconfigured.
E.g.
if index.php contained PHP code to check if the page had been called with a variable such as "password", is there anyway a public member can get to see the raw php file and therefore see what the password is?
index.php might be:
if ($_REQUEST[password]="secret") { >Then show one page else >show another page }
So if a user visits with index.php?pass word=secret
they get to see the secret page. But as the index.php has to have file permission set so that anyone can read it, I'm worried that the public can just somehow view the file and learn the password.
If the "public" is just people who view through the web server, then no,
unless your server config is broken. That rules out "casual web surfers".
However, people logged into the server itself through shell access, or running
their own PHP code on the same server would likely be able to access
public-readable scripts.
--
Andy Hassall / <an**@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool
"Andy Hassall" <an**@andyh.co. uk> wrote in message > If the "public" is just people who view through the web server, then no, unless your server config is broken. That rules out "casual web surfers".
However, people logged into the server itself through shell access, or
running their own PHP code on the same server would likely be able to access public-readable scripts.
OK, so other users on my server from shared hosting account (like webfusion
or something) would be able to gain access to my raw php files.
So what is ideally a quick and easy way to implement security so that no one
other then the programmers get to see the raw code?
I tried password protected folders, but the problem is that then when we
want the "public" (causal web surfers) to submit information that gets
entered into the DB, they get prompted for username and password.
(See earlier post yesterday titled:
"Maybe easy - securing php files containing DB access passwords etc." )
Any thoughts?
Kind regards
Dave
.oO("Dave Smithz" <SPAM FREE WORLD>) OK, so other users on my server from shared hosting account (like webfusion or something) would be able to gain access to my raw php files.
Probably.
So what is ideally a quick and easy way to implement security so that no one other then the programmers get to see the raw code?
On many shared hosts there simply is no way, because all PHP scripts run
with the same username. There are ways to run scripts under the username
of their owner, but this has to be configured by the host.
Micha
Dave Smithz wrote: So what is ideally a quick and easy way to implement security so that no one other then the programmers get to see the raw code?
If the webhost supports it, Zend Encoder. Quick, easy, but definetly
not cheap. On the other hand, if there really is something worth
protecting, the price of Zend Encoder is small to pay for the
protection you get.
--
Markku Uttula This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: lkrubner |
last post by:
I want to give users the power to edit files from an easy interface, so
I create a form and a PHP script called "fileUpdate". It does a
reasonable about of error checking and prints out some errors. It uses
fileperms() to get the permissions of the file, and it includes that
info in any error message. Today I'm getting the following error
message. I've used SmartFtp to go in and set the test file's
permissions to 777, but in this error...
|
by: Lonnie Princehouse |
last post by:
In short:
Is there any way to run Python WITHOUT trying to create .pyc files (or
..pyo) or to have Python not attempt to import the .pyc files it finds?
Reason:
We have a site-specific package installed on a network drive. When
anyone with write access imports this package, the network drive gets
spammed with .pyc files.
|
by: Matthew Moran |
last post by:
I am creating a series of downloadable articles, career
tools, spreadsheets, etc. However, some of the content is
for "registered" guest. The registrants are stored in a
database and logon.
I want to ensure that someone registered cannot simply
pass someone the path to the files for download. However,
I am not creating an actual system user name for the
folders where the various documents exist.
|
by: Rik Hoeflaak |
last post by:
Hi there,
I'm struggling with this problem: in a website I
developed, XML files are created by users of the site to
describe. The creation is OK, the (new) file is present,
but it can not be read by any website visitor.
How can the default permission become at least readable?
It's a ASP script running on W2K, using the
|
by: Sathyaish |
last post by:
I am using MCI (winmm.dll) to read, record and playback sound. For
now, I am doing this with disk files instead of realtime doing it
straight from the memory. If I want to stream/relay/transmit this
sound (file) on a Windows socket (not using FTP but TCP), can I read
the file into a byte array? Because if it is possible then I can send
it on the socket but the problems I foresee are:
How will I repack it into the file. Will just reading...
| |
by: Tom Wells |
last post by:
I have a little file upload page that I have been able to use to successfully upload files to the C: drive of LocalHost (my machine). I need to be able to upload to a network drive from the intranet server. On the line: dirs = Directory.GetDirectories(currentDir) I get "Access to the path "\\les-net\les\Special Projects\ATSPDF" is denied." How do I get the GetDirectories command to user my user ID and password when it tries to hit the...
|
by: FusionGuy |
last post by:
I've created a file uploading handler, implemented as an httpHandler. Each
time I attempt to upload a file, or files, my HttpContext.Request.Files
property never contains the files that were uploaded. Here's a snippet of
my handler code:
// *** BEGIN HANDLER CODE *** //
public class AutoUpload : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
|
by: FusionGuy |
last post by:
I've created a file uploading handler, implemented as an httpHandler. Each
time I attempt to upload a file, or files, my HttpContext.Request.Files
property never contains the files that were uploaded. Here's a snippet of
my handler code:
// *** BEGIN HANDLER CODE *** //
public class AutoUpload : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
|
by: jab3 |
last post by:
So I'm considering a small project that involves online file storage.
Let's say I wanted to set up a site that allows people to log-on,
create an account, and then have space to upload files. The problem
I'm having concerns permissions, basically.
1) How do I automatically create users in Linux from a PHP script
running under Apache's uid/gid?
2) Once 1 is done, how, when they log back on (authenticated with SQL
which will keep up...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |