I was just wondering whether it is possible to steal the php code from a site. I have a php file that contains a username and password field. That same file stores the correct username and pass for validation. I have tried many different ways to try and capture the php code, but I always end up with the html output. Can anyone shed some light on this?
well theres probly only two ways to do it…
- hack in and download the php file that way or
- i guess its posible that some sort of server error might reveal your php code or part of it.
if you realy must store your password and username within the script you run for validation i suggest you at least hash them so no one will be able find out either your password or username even if they do find a way to view the php source.
The best thing to do is to store scripts with sensitive information outside your web directory tree.
For example, you could have a small file called settings.php like this:
<?php
$username = "whatever";
$password = "whatever";
?>
If your server searches for files in your home/username/public_html then make a folder inside home/username, store it there and include() it from your main script. This way, your FTP password is needed to obtain the script.
Simerlar question, what are the rules for includes? I mean can a page only be included from the same site or is there a way to allow say one website on one server include a script on another?
On unix you can include() across servers but you will only get the rendered output not the source file. This is missing from Windows distors and you can only include from the the same server on Windows.
Not sure how that works, is that as default? I mean say I know “rival1” has a certain script installed that has his database password stored in say common.php, I couldn’t make a script which was like
<?
include('http://www.rivals-site.com/guestbook/common.php');
echo $db_username;
echo $db_password;
?>
No? That surely isn’t acceptable?
Like I just said. You will get the output not the source. Any php will be non-existent since you are grabbing an outputted file. You cannot get the source code using include() across servers.
Ah, I see, it just returns the html output, it can’t pass variables.
Thanks to everyone for the replies but i am still looking for possible ways to that people can get my php code. -the dark eye- has given 2 ways. Any more?
Are you looking for a way? or trying to keep people from getting your code? DarKeye gave two ways that your code could be revealed, I assume this is not what you want? Could you elaborate on what you are looking for?
Well I was looking for ways to protect my code. However the approach I am looking for is to look at all possible ways that the php code can be taken, then to protect against it.
Make sure not to store sensitive information in files with extensions that don’t get parsed by the server by default, ie. .inc, .txt files. So if the user finds a file the won’t be able to do anything with the rendered output
Store all sensitive info outside the web root, so if the server does go down, malicious types won’t be able to get anything.
If the uname and pwd are stored in a file on the web root, you can use a site grabber to retreive the files. A site grabber is a program that connects to a website, and downloads all files on the site. Kinda like doing a “file -> save as” in IE, only more thourough
These programs are numerous, and freely available
If you want to store credentials in a text file, do as someone suggested, and place them outside of the web root. That way, site grabbers won’t be able to find them.
If the uname and pwd are stored in a file on the web root, you can use a site grabber to retreive the files. A site grabber is a program that connects to a website, and downloads all files on the site. Kinda like doing a “file -> save as” in IE, only more thourough
Not exactly correct. Everything else being equal, the risk is the same whether the user visits the site with IE or uses a site grabber, because requests made to the server by the grabber also get parsed as PHP files as long as the server operates properly
Very true, even if you enter the url of a page in a downloading program such as Getright, the server processes the page and lets you download only the html output…
Originally posted by numeropi
[B]
Not exactly correct. Everything else being equal, the risk is the same whether the user visits the site with IE or uses a site grabber, because requests made to the server by the grabber also get parsed as PHP files as long as the server operates properly [/B]
Hmm, I thought site grabbers worked a little differently than that. But after playing around with one of them, I discovered you are right 