p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: sensitive php files in web sites? ( include files and teleport pro)


Message #1 by "keith hughitt" <hughittk@m...> on Mon, 10 Feb 2003 00:40:24
Hi, 

i have recently started to implement a site in php/mysql on the web, but 
i'm still not sure about the sensitivity of .php files. although it is 
SERVER-SIDE and the user only see's the html, the files still reside on 
the server. If i have include files with information i dont wish to be 
revealed to all, how can i make it so that people cannot view or download 
them while still allowing the web pages to call them?

also, there are programs such as teleport pro which can download an 
entire site, directory structure and all. would teleport pro download the 
php files in there php format? or as outputted html?..and also, how can 
you hide directories from teleport pro, there is an option in teleport 
pro to "ignore flagged directories", which allows it to download all 
directories it can, even if i tell it not too.

i know this is alot to explain, but any help would be greatly 
appreciated. Thanks,

Keith
Message #2 by "Lawrence" <spam@k...> on Sun, 9 Feb 2003 21:29:11 -0500
From: "keith hughitt" <hughittk@m...>
> i have recently started to implement a site in php/mysql on the web, but
> i'm still not sure about the sensitivity of .php files. although it is
> SERVER-SIDE and the user only see's the html, the files still reside on
> the server. If i have include files with information i dont wish to be
> revealed to all, how can i make it so that people cannot view or download
> them while still allowing the web pages to call them?

Make your PHP files read only. None of the PHP is ever sent to the browser. It all gets parsed on the server. The
only thing that gets sent to the browser is the stuff in an echo or print statement. None one bit of PHP code ever
goes to the browser.




> also, there are programs such as teleport pro which can download an
> entire site, directory structure and all. would teleport pro download the
> php files in there php format?

Again, no PHP code is ever sent out to a web browser.

If someone else got your FTP password and was able to FTP into your site, then of course you'd be screwed, so keep
your FTP password safe. But about web browsers, don't worry - they won't get a bit of code that way.




Message #3 by "David Scott-Bigsby" <DScott-Bigsby@P...> on Sun, 9 Feb 2003 21:16:35 -0800





[beginning_php] Re: sensitive php files in web sites? ( include files and teleport pro)


<Lawrence>From: "keith hughitt" 
<hughittk@m...>> i have recently started to implement a 
site in php/mysql on the web, but> i'm still not sure about the 
sensitivity of .php files. although it is> SERVER-SIDE and the user only 
see's the html, the files still reside on> the server. If i have include 
files with information i dont wish to be> revealed to all, how can i make 
it so that people cannot view or download> them while still allowing the 
web pages to call them?Make your PHP files read only. None of the PHP is 
ever sent to the browser. It all gets parsed on the server. Theonly thing 
that gets sent to the browser is the stuff in an echo or print statement. None 
one bit of PHP code evergoes to the 
browser.</Lawrence>This is true so long as your browser is 
handing PHP files off to a PHP parser properly -- not something I'd lose sleep 
over, but if you want to be extra secure, put all sensitive information (e.g., 
database passwords) into library files, put those files outside the document 
root directory, and make sure they have PHP as their extension (vs. php.inc or 
somesuch).
But Lawrence is correct -- the PHP will get parsed out of the 
document which gets served, and it is irrelevant if the document is served to a 
single user clicking on a link or an application hitting every URL on the 
site.
dsb




Message #4 by "keith hughitt" <hughittk@m...> on Mon, 10 Feb 2003 06:36:56
> Thanks for both of the replys, they are both helpful. I had never 
thought before to rename to .php, but since that would mean they would 
get parsed that makes alot of sense now. I cannot put the files beyond 
the root directory however i believe because i am running the site on a 
web host, although i could be wrong. one question i had though relating 
to making the files read-only. What are the specific reasons to do this? 
it sounds logical, but im not sure exactly where it would help. what 
could be done if they were not read-only?

keith 




[beginning_php] Re: sensitive php files in web sites? ( include files and 
teleport pro)


<Lawrence>From: "keith hughitt" 
<hughittk@m...>> i have recently started to implement a 
site in php/mysql on the web, but> i'm still not sure about the 
sensitivity of .php files. although it is> SERVER-SIDE and the user only 
see's the html, the files still reside on> the server. If i have include 
files with information i dont wish to be> revealed to all, how can i make 
it so that people cannot view or download> them while still allowing the 
web pages to call them?Make your PHP files read only. None of the PHP is 
ever sent to the browser. It all gets parsed on the server. Theonly thing 
that gets sent to the browser is the stuff in an echo or print statement. 
None 
one bit of PHP code evergoes to the 
browser.</Lawrence>This is true so long as your browser is 
handing PHP files off to a PHP parser properly -- not something I'd lose 
sleep 
over, but if you want to be extra secure, put all sensitive information 
(e.g., 
database passwords) into library files, put those files outside the 
document 
root directory, and make sure they have PHP as their extension (vs. 
php.inc or 
somesuch).
But Lawrence is correct -- the PHP will get parsed out of the 
document which gets served, and it is irrelevant if the document is 
served to a 
single user clicking on a link or an application hitting every URL on the 
site.
dsb





  Return to Index