Can I read php files?

[Jack McKalling]

I have maintained my site secure by converting all files to .php, and conditioning if the file was opened by site or by user (only access when opened by site)However, while some passwords for MySQL are stored in one of those files, I can't be sure enough. Is it possible, to read a file's contents into a variable by using fopen()? I know it can, but also with PHP files? What would happen or what does the server do when I do? I tried, but the result is not explainatory. I get the result of the document, after it was processed by the server, just like you were requesting it via the addressbar.Is this always the case, or should I check some settings before relying on that security thing?

[SFB]

fopen() would only get the actual php if it were to open a file on the same server. if you went like fopen("http://snowforts.ath.cx/index.php" "r"); you would only get the html from my site (assuming that url fopen is on). your files should be safe unless someone else has the abilities to create a php file on your server and knows the location of your files on the server. if you are hosted by somone, they usually make sure that you cannot open files from somone else that is being hosted by them too.

[Jack McKalling]

Okay, that is safe then.But how do they check if the file is also not owned by someone else on the same host? Because I do have a webhost, and I just not only want to disable external hosts to fopen() my files, also the other acounts on my host

[SFB]

you could check and see if your files are safe by setting up a second host and trying to open your files from your first. if you have to pay for that, i would just send your host an email asking them if your files are safe. they will probably tell you

[Jack McKalling]

No I won't have to pay, but I do have to do a lot of convincing to get another account. But I have a friend, whoms account I know, but I don't have permission to it. However, I gave him one of my files and I know where he uploaded it, so I can try to fopen() that one. It got me the HTML result :)So does that mean php files can ONLY be read by the owner of the to be opened file?

[SFB]

if you got the html of a php file then yes your files should be safe.

[Jack McKalling]

Okay, that's cool then. I also like to try to create a file, that, on first time opened would prompt the administrator for the database's password, save it into the file itself permanently, and lateron use it to connect to that database :)So I'd need a writable file, to write the value in, and get the contents to save into the main document, could that be done? It would be safe because no one else could open such file, so :)The main idea is to have an application that only needs to be uploaded as one file, and variably connect to a certain database So then I could give the application to others, without them having to edit the file and still have it be able to connect to their own database

Edited June 15, 2006 by Dan The Prof

[justsomeguy]

File security is handled by the operating system. If they have their server set up correctly, other users on the server should not be able to access files in accounts other than their own.I'm not sure if a running script can rewrite itself. But you can always create a new file that you include if it is present and create if it is not.

[Jack McKalling]

Yes of course, and I also doubt if a script can edit itself, so I thought letting it, by 'installation' of my application, write another php file that tries to edit the main, and insert those prompted variables in it, then reload the main document to delete the extra file, and all that is left should be the main only with the newly inserted variables :)I may be able to create this idea, but could you help me out getting started?

Edited June 15, 2006 by Dan The Prof

[justsomeguy]

I don't know, it seems like a long way to go to do something simple. Why bother updating the main file when you can just create a new file and leave it at that? That way it's easy for the application to know if it has been installed - if the configuration file is present then the installation process succeeded, and if the file is missing then the application should go through the install process.

[Jack McKalling]

You're probably right, after all it is just one file extra. But I thought, I like it being just only one file, one application. But that doesn't seem possible without knowing the password and database name heh :)Btw, configuration file is a bit of hyperbolic, it only saves the password and database name,

Edited June 15, 2006 by Dan The Prof

[justsomeguy]

You might end up wanting more info than that, maybe a domain for cookies or an HTTP path to the application or something like that. But once it's installed it's probably not going to be moved around, so using more than one file probably isn't a very big deal.