Is it true that someone can somehow view the source code of my php files in their browser?
I have a GoDaddy site and through FTP I can set a whole bunch of settings for ‘Owner’, ‘Group’, and ‘Public’. I attached an image so you can see what I’m looking at.
What options should I select for, say, my config file that has my db password, salt, etc. in it?
Yes they can view the source of the generated HTML in their browser.
To be able to view the PHP source either PHP would need to crash on your server or the file extension would need to lose its relationship to PHP.
ok, thanks.
so should i worry about any of those property settings in the image i attached? if not, why?
especially for the config file which contains db passwords and other sensitive information.
No you should not worry about those. Those settings only affect the internals of the server operating system itself. They have no bearing on users connecting via the web.
I read that it’s good practice to NOT put config files or other files with passwords, etc. in a folder accessible via the web. Instead they should be in a folder on the web server not accessible via URL and included into the web project where / when needed.
Since my config file does not echo information, is a folder structure like this to safeguard against what felgall explained - - that if php crashed or the file extension lost its relationship with php, then the config could be navigated to and read as plain text?
nobody can see server side code, but client side code can be seen