cyfer65 Posted October 29, 2011 Share Posted October 29, 2011 Or would the only way to get the complete php file be to have my hosting credentials to login to my ftp and download it..?Or could they get or download it by using some type of PHP exploit or sumtin..? Link to comment Share on other sites More sharing options...
Synook Posted October 29, 2011 Share Posted October 29, 2011 There are many different exploits, or security flaws that could possibly lead to a person being able to view the PHP code for a file on your site — for example, calling file_get_contents with unfiltered user input as the parameter. You just have to try to mitigate each one as you write your code. Link to comment Share on other sites More sharing options...
Genert Posted November 1, 2011 Share Posted November 1, 2011 I don't think so if the code is correct and developer has added a lot security scripts as he/she knows.As long the user doesn't know your file location..everything is okay.That's why I always use dynamic PHP pages include. $page = $_GET['page'];$pages = array('323242', '4214141', '8123919');if (!empty($page)) { if(in_array($page,$pages)) { $page .= '.php'; include($page); } else { echo 'Page not found. Return to <a href="index.php">index</a>'; }} else { include('323242.php');} And later I ill add .htacces rewrite rule to make url user friendlier. Link to comment Share on other sites More sharing options...
Synook Posted November 2, 2011 Share Posted November 2, 2011 You shouldn't name your PHP files with weird names just to obscure their location — as is often said "security through obscurity is no security at all". If you don't want to allow clients direct access to a file over HTTP just put it outside the document root — it will still be visible to PHP. Note that it is not necessary to secure your PHP scripts in this way to prevent their source from being viewed, since the PHP code will be interpreted anyway. P.S.: checking your file names against a whitelist before calling include() with them is a good practice, though. Link to comment Share on other sites More sharing options...
Ingolme Posted November 2, 2011 Share Posted November 2, 2011 For included files, I put them in a directory and use htaccess to deny HTTP access to the directory Link to comment Share on other sites More sharing options...
cyfer65 Posted November 2, 2011 Author Share Posted November 2, 2011 For included files, I put them in a directory and use htaccess to deny HTTP access to the directory whats the htaccess code you use to deny HTTP access to the directory or file..? Link to comment Share on other sites More sharing options...
cyfer65 Posted November 2, 2011 Author Share Posted November 2, 2011 or how could you block file_get_contents from getting your php source..? Link to comment Share on other sites More sharing options...
Ingolme Posted November 2, 2011 Share Posted November 2, 2011 whats the htaccess code you use to deny HTTP access to the directory or file..? Order Deny,AllowDeny from all or how could you block file_get_contents from getting your php source..?All you need to do is make sure that no $_GET, $_POST, $_COOKIE or certain $_SERVER data get used in the file_get_contents() function. And if it does, that you've made sure that you don't allow the path outside of its specific directory. Link to comment Share on other sites More sharing options...
cyfer65 Posted November 5, 2011 Author Share Posted November 5, 2011 There are many different exploits, or security flaws that could possibly lead to a person being able to view the PHP code for a file on your site — for example, calling file_get_contents with unfiltered user input as the parameter. You just have to try to mitigate each one as you write your code.can you explain that to me a lil more in detail please..?does file_get_contents() have to be used in my php file with unfiltered user input as the parameter or on someone elses php file that reads my php file..?kinda confused here.. Order Deny,AllowDeny from all All you need to do is make sure that no $_GET, $_POST, $_COOKIE or certain $_SERVER data get used in the file_get_contents() function. And if it does, that you've made sure that you don't allow the path outside of its specific directory. This is just a basic index.php im using as a test - nothing is output to the viewer/user.it just reads itself and then replaces the AAA sting with whatever is entered into the Query_String as long as my password is in there too.now given that - how can I prevent anyone from viewing the complete php source code from beginning to end..?<?php$DATA = $_SERVER['QUERY_STRING'];If (stristr($DATA, "MY-PASSWORD")){$DATA = substr($DATA, 11);$FILE = file_get_contents('index.php');$TEXT = str_replace('AAA', $DATA, $FILE);//AAAfile_put_contents('index.php', $TEXT);}exit();?> Link to comment Share on other sites More sharing options...
Synook Posted November 5, 2011 Share Posted November 5, 2011 No-one else (i.e., on a different server), can read your PHP file over HTTP, as long as the PHP interpreter is acting on it. The PHP interpreter will execute the PHP code inside the file and only send the output on to be delivered over HTTP. You would need to have a vunerability within your own code. Link to comment Share on other sites More sharing options...
cyfer65 Posted November 5, 2011 Author Share Posted November 5, 2011 so then would that sample test code i just posted be safe then from any vulnerability of viewing the entire php source code..? Link to comment Share on other sites More sharing options...
Synook Posted November 5, 2011 Share Posted November 5, 2011 Well, it does not contain any obvious vulnerabilities. You are probably more likely to have someone maliciously gain access to your server's filesystem than for that script to be exploited. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.