Php is a server side scripting language.. So, if i make my PC work as a server in a network, will I be able to see the php code executed on my machine? As html is seen on all client PC's?
Not only will you be able to see the php code on your server, you will even have to put it there first. Your server will not run other servers' PHP code if that is what you had in mind.
If the webserver is configured correctly then you can only see the code directly on the server as with every other local file on a server/pc.
Other machines that access your internet pages (in case that the php files are for a webpage, as I have seen some usages of php files for maintenance utilities instead of web pages in the past) only see the results of the php code not the php code itself (thus only what you echo or specifically print out to html in another way). This is because the webserver processes the php file and the clients only receive the results of the php files not the source files themselves.
Aside from those two cases I've seen it in the past that if a webserver is NOT correctly configured, it can be that the clients see the php code itself instead of the results (as the webserver does not process the php parts). In these cases yes the clients can see the php source (not sure if this is also true for the current versions of webservers though. At least in the past it was that way).
As mentioned there exists also the option to use php files as programs that run locally (for example started via a service that calls php myphpfile.php). In these cases it is as in the first case that the sourcefile itself can normally be accessed as every other local file on the server itself, but as it is not in a webserver directory clients (aside from network shares,...) won't be able to see anything of the file itself.
Yes, you can see your code by using ssh like putty you have to login to your server using a user account of server. Follow the following tutorial. You will be able to log into your server remotely and you can see and even update the files on server.
http://kb.mediatemple.net/questions/1595/Using+SSH+in+PuTTY+%28Windows%29#gs
You can open the folder containing the source PHP files and open them with an appropriate Editor (Notepad++, Sublime Text...)
Related
I wrote an HTML page using XAMPP on my Windows computer, and everything works great locally. However, I want to host the content on a website, and I have no idea how to do it. Here it is as is, with a PHP code displayed, instead of actually running.
Does github.io support running PHP at all? I read that it doesn't. If so, where would I be able to host my code so that my PHP and JavaScript could run given that I point my browser to the webpage's URL? Also, XAMPP had linked it to an MySql database, but I am unsure of how to set that up as well on a server.
These seem like simple questions for the beginning web developer, but I scoured Google and couldn't find an answer. Thank you.
To deploy php on the server you have to check:
Is there PHP?
Take care of pretags
Check version of php (it will run with error if php parser is on)
Configure your wwwroot or httpdocs or hotdocs (webpage public folder)
Take care of .htaccess if something is crashing
And not every server is apache and not every server is node and not every... Just ask support of this hosting because in some cases you have to "turn on" PHP by some fancy button.
Have a nice day!
No, Github Pages doesn't have PHP, it's only meant to host static pages. It does support Jekyll, a static site generator (in that it generates static pages once per push which are then hosted as-is), but that's about all.
PHP/MySQL is only one of the many sets of possible web application technologies, so you can't expect it to be everywhere where web hosting is. It has to be either explicitly listed on hosting service's website, or be available for installation in case you get yourself a full-fledged server machine (maybe virtual) to run your website.
Browser-based JavaScript will still be run by the client, since it's not the server's responsibility to run it, just the delivery. So it can be hosted on GitHub Pages. Also, 3rd party services that don't depend on your own server's code execution are usable too: stuff like commenting systems, searches (you can even make a client-side one!) and analytics.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
I was wondering how php files are actually secured. How come one can not download a php file, even if the exact location is known?
When I upload a php file to my webserver, lets say to domain.com/files, and I call the domain.com/files page, I can clearly see the php file and its actual size. Downloading the file however leads to an empty file.
The question then is: How does the security mechanism work exactly?
The web server's responsibility is to take the PHP script and hand it to the PHP interpreter, which sends the HTML (or other) output back to the web server.
A mis-configured web server may fail to handle the PHP script properly, and send it down to the requesting browser in its raw form, and that would make it possible to access PHP scripts directly.
Your web hosting may have a mechanism to list the contents of a directory, but the unless it supplies a download mechanism to supply the PHP script with plain text headers (as opposed to HTML) without handing it to the PHP interpreter, it will be executed as PHP rather than served down.
In order to be able to download the raw PHP file, the server would have to do some extra work (possibly via another PHP script) which reads the PHP file from disk and sends its contents down to the browser with plain text headers.
When you request domain.com/files your web server is setup to show all the files in that directory.
When you request the actual php file the web server executes it and outputs the results back to you - not the source code.
Of course, both of the above can be configured. You could switch of directory listing and disable parsing of php files so the actual file contents/source code is output.
Its usually a good practice to switch off directory listing.
When you first install PHP on your server, it reconfigures Apache so that when a .php file is requested, Apache hands processing over to PHP. PHP then processes the code in the file, and returns whatever text the PHP code echoed or printed to Apache, which then sends that back over the network to the person that requested the PHP file.
The "security" comes simply in that Apache does not simply serve the PHP file, but rather hands it over to the PHP processor for execution. If Apache is not configured correctly or you use a server software that does not recognize PHP, the raw PHP file will be sent to the client.
Short answer: since the server is configured to execute PHP files and return the results, you will never be able to access the PHP source from the outside. All code is executed immediately by the server. So, to answer your question:
The security mechanism is that .php files are executed automatically by the server when they are requested.
This is a huge misconception. When you attempt to access a PHP file over port 80, your request is likely being run through a web server which does something with the file. In the case of PHP, it runs that file through the PHP interpreter, which causes that file to create some output, and that is what is sent to you.
You can easily allow downloading of PHP files by removing the interpreter for that file type. If the web server doesn't have anything special for it and doesn't understand the file, it will just have the client download it.
I want to create a simple webiste with only html pages. I am now including Header, sidebar, footer in every file, which is redundant. So, while looking for solution, I found <?php include, can help me. But my browser is not parsing php content. How can I make it parse php files in html?
Thank you
Since your goal is to create a simple HTML website, with static pages I don't think PHP is the best way to go.
You have two options:
Run PHP on your local computer to pre-process the files:
If you install PHP-cli (command line client), you can use it to process your PHP static pages. Redirect its output to a file and you have your desired output:
php-cli index.php > index.html
Use nanoc (ruby-based) to build your static website:
If you don't have a webserver with PHP enabled, I assume you do not have PHP as a requirement but rather found about <?php include('file') ?> while studying HTML.
With this in mind, I suggest you check out nanoc. It's a tool what uses ruby to help creating static HTML webpages, by providing ways to define a layout (what you're doing with PHP's include) and many other features.
It's quite simple to use and produces static HTML files that you can upload to any server or open with your browser directly and still enables many powerful features while developing your website.
You need to have PHP installed on the server that is running the website. You need to make sure you are naming your files with a valid php extension, e.g. index.php. Can you give us a link to your website where the issue is occurring?
When you enter www.example.com/test.php in the addressbar,the browser contacts the webserver at www.example.com and requests for the file /test.php. Now depending on how your server is configured, you web server will detect the type of the file (usually using the extension). In this case (since the extension is .php), the webserver will detect that the file is a PHP script and will invoke the PHP interpreter. The PHP interpreter will execute the script and generate HTML which is passed on to the web server. Now the web server will return the HTML to the browser.
PHP is a mainly (Yes, it is possible to run PHP within browser) a server side language
This means PHP is not executed in you browser, but on your server
Therefore, you need to have PHP configured correctly on your server to see the correct output
Even if you manage to configure PHP as client side language on your system, remember there is not even < 1% change of your user's browser supporting it.
You can only have webpages, and not website, without a web server
A website (also spelled Web site) is a collection of related web pages, images, videos or other digital assets that are addressed relative to a common Uniform Resource Locator (URL), often consisting of only the domain name (or, in rare cases, the IP address) and the root path ('/') in an Internet Protocol-based network. A web site is hosted on at least one web server, accessible via a network such as the Internet or a private local area network.
You need to have a web server set up with PHP running on it. PHP is an acronym for "PHP: Hypertext Preprocessor". PHP is processed on the server, rendered into HTML content, then sent out of a web browser to be viewed, but no web browser has the ability to processor PHP on its own.
Here are some resources to get you started:
PHP: What do I need?
Your First PHP-enabled Page
Your browser cannot interpret / parse php files.
If you want to test your site locally, you will need to install a local server like WampServer for windows or apache and php in linux.
Is there really a way to do this ? Retrieving raw .php file from the server (other than getting into server's FTP account) ? Is this the reason why there are tools/script to encrypt php source code ?
If it's true, then how to protect against it ? (without using php source code encryption)
edit: the server mentioned has php running, eg. apache-php-mysql, your standard hosting server configuration.
If you are talking about someone else's server, then the short answer is no. If third parties could read your PHP source code, that would be quite a security hole, since PHP files tend to contain database passwords, hash keys, proprietary algorithms and other goodies that you don't want falling in the wrong hands.
If you are talking about your own server (ie. that you yourself have access to), then there are simple scripts that you can put on the server, that allow you to specify a path to any file on the server and have it returned as plaintext.
However, you NEVER EVER want to place such a script on a production server, for the reasons mentioned above.
Generally speaking, you can't access remote source code. The PHP module would have to be disabled for this to occur.
But as a thought experiment, how might this happen?
Leaving aside wholesale exploits which get access to the entire filesystem, imagine if there were a security hole in an application which allowed you to insert an line into an .htaccess file. Given that an .htaccess writable by the httpd process is useful for apps like Wordpress, it's not too outlandish a possibility.
If you added this:
php_value engine off
The source files now become downloadable!
It is possible if the server is not well configured that PHP files are not handles as such.
Some examples:
Some servers are configured to show the highlighted source code of a PHP file when requested as .phps instead.
Some developers use .inc for files that are intended to be included using include or require. If the server is not configured to handle these as PHP as well, they will be delivered as plain text when they are requested directly.
But the developer can also be the source of vulnerability. For example when he uses a script for downloading files from the server and this script accepts nearly every input without validation.
If the file is served from a web server that has php interpretation enabled (via HTTP) then it will be processed. The only way you'd receive the code unprocessed is if PHP was disabled somehow.
I have encountered a mis-configured web server in the past that had one virtual host properly setup to server PHP files via the PHP interpreter. There was a second virtual host pointing at the same directory, but didn't have php enabled. This meant things like the 'config.php' for several apps where visible as plain text. As everyone knows a typical config.php has database auth credentials and other things that shouldn't be known.
So, it is very important to understand your web server setup, and make sure you aren't doing something silly.