Can a client view server-side PHP source code?

I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".


No, unless

  • There is a server misconfiguration
  • There is a bad echo/include somewhere

No. Unless you're echoing it to them under where you're actually using it.


Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)

Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.

If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find. Consider:

fopen('reports/' . $_GET['blah']);

where the user passes in '../index.php'