Can a client view server-side PHP source code?

I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".

13.10.2009 23:02:49

No, unless

  • There is a server misconfiguration
  • There is a bad echo/include somewhere
13.10.2009 23:04:19
Can you give an example of bad include or echo ?
Mj1992 28.11.2012 13:51:28

No. Unless you're echoing it to them under where you're actually using it.

13.10.2009 23:03:55

If you have your webserver set to serve instead of parse your php yes. But then the clients wouldn't work. So the barring any security holes, answer is no.

13.10.2009 23:05:08

No, but you should take all measures to prevent it.

You should always set your sensitive code (heck, why not all?) in a directory bellow your server working dir (say /www), that way if the server gets messed up, it wont be able to show your code to the world because that code will be included by php that is not working in the first place.

13.10.2009 23:24:09

Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)

Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.

If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find. Consider:

fopen('reports/' . $_GET['blah']);

where the user passes in '../index.php'

13.10.2009 23:37:47

No. Assuming you've installed a L/UAMP server properly, or aren't printing out (echo, print_r, etc.) and of the guts of your code, the PHP will be processed and the logic or HTML it's meant to output will be used on the page, not visible.

N.B. If there isn't an 'index' in a directory or a proper .htacess file, an Apache server will show a list of files in the directory, which can be downloaded and reviewed.

14.10.2009 04:13:00
Yeah but even if you download them, the only thing you will see is the HTML that gets generated. You will not see the PHP code.
galdikas 6.09.2013 10:40:14

One mistake for it to happen is to paste a php tag inside a php string, example:

$string = "This is the answer: <s><?php echo $answer; ?></s>"; 
echo $string;

The person did a Ctrl+C and Ctrl+V of something that should be printed along the string, but the coder forgot to remove the php tags by distraction.

3.04.2013 02:48:08