1

So if you have a PHP page, while if someone loads that page they may not see the server side run PHP code; if they grab the source, the file itself is still publicly available, because if you make it not publicly available the person would not be able to load that page.

Thus someone could with the right knowledge 'grab' that file and then read the serverside script stuff.

So is it not safer to make a 'proxy'. for example, AJAX post call to a PHP page (called script handler) and pass a string with the first 2 char being the id to the PHP script to run and the rest of the string being the data for that script, then the script handler runs and include based on the number and returns the echoed back HTML that is then displayed.

What do you guys think? I have done this and it works quite nice, if I grab source all I get is an HTML page with a div container and a javascript file with ajax calls to script handler.

Improve this question
4
  • You should add the code to make your question more clear. Otherwise it's hard to tell. For safeness I would just recommend: Don't do it, but you have not showed any code, so that's only a guess. Commented Aug 22, 2011 at 7:48
  • 4
    If PHP is running on your server then people can't see the code. It's not like JavaScript in that respect. Commented Aug 22, 2011 at 7:49
  • I don't think this question deserves to be on -1: its premise is incorrect, but the answers are important to prevent others from making the same mistake. Commented Aug 22, 2011 at 7:55
  • Honestly, the entire web has webservers where you can just call 'page.php' - how did you arrive at thinking they are all vulnerable to a bug noone ever described? :) Commented Aug 22, 2011 at 7:55

2 Answers 2

Reset to default
6

No. Your 'workaround' does not fix the problem, if there ever was one.

If a client (a browser) asks a 'resource' (a page, for example) from a webserver, the webserver won't just serve the resource as it finds it on disk.

If you configured your webserver well, it will know that

  • An .html, .gif, .png, .css, .js file can just be served as-is.
  • A .php, .php5, .cgi, .pl file has to be executed first, and the resulting output has to be served.

So with a properly configured server (and most decent webservers are properly configured by default), grabbing the PHP source just by calling the page is impossible - the webserver will know to execute the source and return the result.

But

One of the most encountered bugs when writing your own 'upload/download script' is allowing users to upload/download .php (or other executable) files. If your own script 'serves' the .php file by reading it from disk and writing it to the net, users will be able to see your code.

Solution:

  • Don't write scripts unless you know what you are doing.
  • Avoid the not-invented-here syndrome (don't reinvent the wheel unless you are sure you NEED a better wheel AND can MAKE a better wheel)
  • Don't solve problems that don't exist!

By the by:

if your webserver was mal-configured and is just serving .php files as viewable/downloadable files, your 'solution' of calling it by ajax would not change this... Ajax still is client-side, so any client could bypass the ajax and fetch the script itself.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

If your web server is configured correctly, users should never be able to view the actual contents of the PHP file. If they try, they should see the actual output of the PHP script as your web server reads and executes it, then passes that as the response to the HTTP request.

Furthermore, you need to understand that users can easily still look at the file the AJAX request is fetching; all they need to do is install Firebug, or use the Chrome developer tools, and they'll be able to see the full URL the file is fetched from.

So to sum up, firstly you shouldn't need to use this kind of 'security technique' for PHP files, and secondly, the 'security technique' will not stop anyone with more than a passing interest in your data.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.