I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".
- There is a server misconfiguration
- There is a bad echo/include somewhere
No. Unless you're echoing it to them under where you're actually using it.
If you have your webserver set to serve instead of parse your php yes. But then the clients wouldn't work. So the barring any security holes, answer is no.
No, but you should take all measures to prevent it.
You should always set your sensitive code (heck, why not all?) in a directory bellow your server working dir (say /www), that way if the server gets messed up, it wont be able to show your code to the world because that code will be included by php that is not working in the first place.
Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)
Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.
If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find. Consider:
fopen('reports/' . $_GET['blah']);
where the user passes in '../index.php'
No. Assuming you've installed a L/UAMP server properly, or aren't printing out (echo, print_r, etc.) and of the guts of your code, the PHP will be processed and the logic or HTML it's meant to output will be used on the page, not visible.
N.B. If there isn't an 'index' in a directory or a proper .htacess file, an Apache server will show a list of files in the directory, which can be downloaded and reviewed.
One mistake for it to happen is to paste a php tag inside a php string, example:
$string = "This is the answer: <s><?php echo $answer; ?></s>"; echo $string;
The person did a Ctrl+C and Ctrl+V of something that should be printed along the string, but the coder forgot to remove the php tags by distraction.