Can a client view server-side PHP source code?

security php

I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".


No, unless

  • There is a server misconfiguration
  • There is a bad echo/include somewhere

No. Unless you're echoing it to them under where you're actually using it.


Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)

Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.

If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find. Consider:

fopen('reports/' . $_GET['blah']);

where the user passes in '../index.php'

Related

Split string with multiple-character delimiter
How do I find out which control has focus in .NET Windows Forms?
Why does System.Threading.Timer stop on its own?
How can I force a minimum number of decimal places in Json.net?
Scala single method interface implementation
MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 message lis teners added. Use emitter.setMaxListeners() to increase limit
How to exclude special characters from android keypad for EditText
Focus tab or window
Dynamically creating classes - Python
"Position" or "Rank" for high score table?
Best practice android:onClick XML attribute or setOnClickListener? [duplicate]
Trying to extract information in a casual manner - Which word or phrase can be best used to describe it? [closed]