Jump to content

Is There Anyway For Someone To Download My Complete Index.php File That Has Code In It That Is Not Viewable From Public Www View..?


Recommended Posts

There are many different exploits, or security flaws that could possibly lead to a person being able to view the PHP code for a file on your site — for example, calling file_get_contents with unfiltered user input as the parameter. You just have to try to mitigate each one as you write your code.

Link to post
Share on other sites

I don't think so if the code is correct and developer has added a lot security scripts as he/she knows.As long the user doesn't know your file location..everything is okay.That's why I always use dynamic PHP pages include.

$page = $_GET['page'];$pages = array('323242', '4214141', '8123919');if (!empty($page)) {	  if(in_array($page,$pages)) {		  $page .= '.php'; include($page);	  } else {		  echo 'Page not found. Return to <a href="index.php">index</a>';	 }} else {	  include('323242.php');}

And later I ill add .htacces rewrite rule to make url user friendlier.

Link to post
Share on other sites

You shouldn't name your PHP files with weird names just to obscure their location — as is often said "security through obscurity is no security at all". If you don't want to allow clients direct access to a file over HTTP just put it outside the document root — it will still be visible to PHP. Note that it is not necessary to secure your PHP scripts in this way to prevent their source from being viewed, since the PHP code will be interpreted anyway. P.S.: checking your file names against a whitelist before calling include() with them is a good practice, though.

Link to post
Share on other sites
whats the htaccess code you use to deny HTTP access to the directory or file..?
Order Deny,AllowDeny from all

or how could you block file_get_contents from getting your php source..?
All you need to do is make sure that no $_GET, $_POST, $_COOKIE or certain $_SERVER data get used in the file_get_contents() function. And if it does, that you've made sure that you don't allow the path outside of its specific directory.
Link to post
Share on other sites
There are many different exploits, or security flaws that could possibly lead to a person being able to view the PHP code for a file on your site — for example, calling file_get_contents with unfiltered user input as the parameter. You just have to try to mitigate each one as you write your code.
can you explain that to me a lil more in detail please..?does file_get_contents() have to be used in my php file with unfiltered user input as the parameter or on someone elses php file that reads my php file..?kinda confused here..
Order Deny,AllowDeny from all

All you need to do is make sure that no $_GET, $_POST, $_COOKIE or certain $_SERVER data get used in the file_get_contents() function. And if it does, that you've made sure that you don't allow the path outside of its specific directory.

This is just a basic index.php im using as a test - nothing is output to the viewer/user.it just reads itself and then replaces the AAA sting with whatever is entered into the Query_String as long as my password is in there too.now given that - how can I prevent anyone from viewing the complete php source code from beginning to end..?
<?php$DATA = $_SERVER['QUERY_STRING'];If (stristr($DATA, "MY-PASSWORD")){$DATA = substr($DATA, 11);$FILE = file_get_contents('index.php');$TEXT = str_replace('AAA', $DATA, $FILE);//AAAfile_put_contents('index.php', $TEXT);}exit();?>

Edited by cyfer65
Link to post
Share on other sites

No-one else (i.e., on a different server), can read your PHP file over HTTP, as long as the PHP interpreter is acting on it. The PHP interpreter will execute the PHP code inside the file and only send the output on to be delivered over HTTP. You would need to have a vunerability within your own code.

Link to post
Share on other sites

Well, it does not contain any obvious vulnerabilities. You are probably more likely to have someone maliciously gain access to your server's filesystem than for that script to be exploited.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...