I was wondering how php files are actually secured. How come one can not download a php file, even if the exact location is known?
When I upload a php file to my webserver, lets say to domain.com/files, and I call the domain.com/files page, I can clearly see the php file and its actual size. Downloading the file however leads to an empty file.
The question then is: How does the security mechanism work exactly?
The web server's responsibility is to take the PHP script and hand it to the PHP interpreter, which sends the HTML (or other) output back to the web server.
A mis-configured web server may fail to handle the PHP script properly, and send it down to the requesting browser in its raw form, and that would make it possible to access PHP scripts directly.
Your web hosting may have a mechanism to list the contents of a directory, but the unless it supplies a download mechanism to supply the PHP script with plain text headers (as opposed to HTML) without handing it to the PHP interpreter, it will be executed as PHP rather than served down.
In order to be able to download the raw PHP file, the server would have to do some extra work (possibly via another PHP script) which reads the PHP file from disk and sends its contents down to the browser with plain text headers.
When you request domain.com/files your web server is setup to show all the files in that directory.
When you request the actual php file the web server executes it and outputs the results back to you - not the source code.
Of course, both of the above can be configured. You could switch of directory listing and disable parsing of php files so the actual file contents/source code is output.
Its usually a good practice to switch off directory listing.
When you first install PHP on your server, it reconfigures Apache so that when a .php file is requested, Apache hands processing over to PHP. PHP then processes the code in the file, and returns whatever text the PHP code echoed or printed to Apache, which then sends that back over the network to the person that requested the PHP file.
The "security" comes simply in that Apache does not simply serve the PHP file, but rather hands it over to the PHP processor for execution. If Apache is not configured correctly or you use a server software that does not recognize PHP, the raw PHP file will be sent to the client.
Short answer: since the server is configured to execute PHP files and return the results, you will never be able to access the PHP source from the outside. All code is executed immediately by the server. So, to answer your question:
The security mechanism is that .php files are executed automatically by the server when they are requested.
This is a huge misconception. When you attempt to access a PHP file over port 80, your request is likely being run through a web server which does something with the file. In the case of PHP, it runs that file through the PHP interpreter, which causes that file to create some output, and that is what is sent to you.
You can easily allow downloading of PHP files by removing the interpreter for that file type. If the web server doesn't have anything special for it and doesn't understand the file, it will just have the client download it.
Related
Why do we have to use url while accessing a php file from some other file but cannot do the same by mentioning file path. If I mention the file path then it is showing code.
PHP is a scripting language. It is used to make dynamic web pages.
By using a URL (with an IP, such as 127.0.0.1, localhost or any other IP), you are actually pinging a web server like Apache. By using a file path, you are not running any PHP parser (interpreter/compiler), thats why it simply shows you the code.
When you are entering a URL (e.g. http://localhost:8000), Apache receives your request, forwards it to PHP interpreter which is responsible to parse the requested PHP file, it then generates pure HTML and sends it back to the web server. At the end, web server is only responsible to send back the generated HTML to browser for rendering, that's why you are seeing a real web page and not plain PHP code.
Note: PHP code can also run without using any web server. It is also used by command line, it only need PHP Parser. For more information read this- https://www.php.net/manual/en/intro-whatcando.php
I have to include or require files from one server to another solution through php code . Is there any way to do so
It's some kind of design flaw that you need to include some codes from another server.
Write code in your server or the other solution is using Web Services.
PHP is a server-side language.
Any PHP source file is (supposedly) processed inside the context of the Web Front (Apache, Nginx, etc.) in order to produce resulting, printable output (which is, in general, some HTML or JSON, but could also be an image binary or anything else).
The moment a Web front receives an HTTP request for a given PHP file, this file will get executed in-place, rather than its source dumped directly into the response stream.
If it is not so, then you have a serious misconfiguration in your Apache (or other) because it would mean that anyone can access your source files rather than your actual running application.
Therefore, it is the same for your own attempt to include 'http://remote-server/remote-file.php' ; : the remote server will receive an HTTP request, and will process the remote-file.php, and deliver the outcome to your requesting script. This is totally different from including a source file into your PHP script.
If files on that other server are not accessible, then require cannot include them.
Php is a server side scripting language.. So, if i make my PC work as a server in a network, will I be able to see the php code executed on my machine? As html is seen on all client PC's?
Not only will you be able to see the php code on your server, you will even have to put it there first. Your server will not run other servers' PHP code if that is what you had in mind.
If the webserver is configured correctly then you can only see the code directly on the server as with every other local file on a server/pc.
Other machines that access your internet pages (in case that the php files are for a webpage, as I have seen some usages of php files for maintenance utilities instead of web pages in the past) only see the results of the php code not the php code itself (thus only what you echo or specifically print out to html in another way). This is because the webserver processes the php file and the clients only receive the results of the php files not the source files themselves.
Aside from those two cases I've seen it in the past that if a webserver is NOT correctly configured, it can be that the clients see the php code itself instead of the results (as the webserver does not process the php parts). In these cases yes the clients can see the php source (not sure if this is also true for the current versions of webservers though. At least in the past it was that way).
As mentioned there exists also the option to use php files as programs that run locally (for example started via a service that calls php myphpfile.php). In these cases it is as in the first case that the sourcefile itself can normally be accessed as every other local file on the server itself, but as it is not in a webserver directory clients (aside from network shares,...) won't be able to see anything of the file itself.
Yes, you can see your code by using ssh like putty you have to login to your server using a user account of server. Follow the following tutorial. You will be able to log into your server remotely and you can see and even update the files on server.
http://kb.mediatemple.net/questions/1595/Using+SSH+in+PuTTY+%28Windows%29#gs
You can open the folder containing the source PHP files and open them with an appropriate Editor (Notepad++, Sublime Text...)
I am having a .php file with the following code. While I am changing the extension of the file as .html then also it is behaving in the same way. Can anyone explain the following:
Why the file is behaving in the same manner with both the
extensions?
What is the difference between the .php and .html file extensions?
.php file
<html>
<head>
<!-- some html code -->
</head>
<body>
<?php echo "Hello!" ?>
</body>
</html>
The filetype is just a way to identify the file, you can't always trust them.
Depending on your web server configuration, you will see different results.
.html is generally use just for html with no serverside code.
.php is used for serverside php code and html if required.
They can be used for anything, it just depends on the setup.
You can configure your web server to handle .php and .html files differently. Your webserver is configured to interpret both as PHP. Most servers handle .php as PHP, and serve .html as-is. That is, if you put your code in an HTML file, the PHP code will not run and will show up in the output.
Some people find it nicer to have .html in the URL instead of .php. It may be useful if your users download your page and try opening them by double-clicking on them.
A php indicates that it is dynamically generated using PHP language. However, you don't see the page as it was originally written, but rather the end result. The end result is, in fact, an html file.
So to answer your question, to the client, a page ending in php or html will support exactly the same contents (which is to say, an html document). Even though browsers shouldn't, they often attempt to visualize tags which make no sense to them (browser interpreting <?php echo "Hello!" ?> for instance might decide "Hello" is the text to display).
Though an html really should never have php tags in it because it isn't meant to be in an html document (php documents are traslated into html documents, thus removing php tags).
an extension is how your operating system recognizes your file and decides what to do do with it i.e. which application should it be opened with.
php is a server side scripting language. It is interpreted by a web server that has php installed on it . For eg in a XAMPP the php.exe file in XAMPP/php folder interprets the php file/commands.
HTML is the standard for sending information over the internet . So the final result of your file is a html page despite whichever serverside scripting language you use. The web server you are using will process the php commands and convert them to corresponding html and send them to your browser. The browser then processes (compiles) the html code to display you your web page.
HTML is essentially all that you see on your browser. PHP is used to interact with the web server and process information that is entered by the user into a web browser via forms or execute underlying third party scripts (such as TCL scripts) under a link to perform a automation functionality in the background hidden from the user who is using on the web site or parse a XML file or extract information from a database or maintain session information and much more.
In general PHP handles the interaction of a web application with a server that is configured to run PHP. HTML simply dumps the results in browser.
You can think of it this way- HTML is simply how your web site looks ... PHP is what makes your site intelligent so that it can interact with a user...
your getting the same result because php can be embedded in html and your web server processes both the files to give you identical results. However if you didn't have php installed on your web server you would get as output in your browser.
The difference lies in how your web server is configured, or whether you need a web server at all when trying to run the files locally (ie - with them on the computer you're currently using).
For example, if you were to run both versions on a computer with no web server installed, the .html file will open in a browser just fine, though without doing anything with any PHP tags. The .php file, however, won't necessarily run and the browser may even try to "download" the file.
What the file extensions are for is to tell a computer what to do with a given extension. Just like your computer will open .doc files in a word processor, or .txt files in a basic text editor. And just like you can tell your computer to open .txt files in your word processor, you can tell the web server to handle .html files the same way as .php files (which is what yours is evidently set up to do).
php is a server side scripting language. Every thing that have a tag php
will be generated by the server and put in the html response.
As far as I Know, depending on the extension the web server will process your file on one way or another. Also, for example, you could have a PHP file that doesn't generate any HTML output, but it redirects to another file.
If you want to give a *.html ended page, you could do it programatically.
you can set any extension to be parsed as PHP, so difference in your case is only in extension. If you disable html files in your Apache configuration to be parsed as php than content of file won't be parsed by PHP. That is all
For example you can add any extension in your Apache configuration to be parsed by php, like this
application/x-httpd-php myextension
where myextension is extension of the file you want to parse.
PHP: Pre Hyper Processot : a server side script language
HTML: Hyper text markup language
".php" and ".html" are just the file extensions however if you want to use php code you must run it off a server which supports php.
PhP is server side.
HTML is client side.
Plus, on the web, filetypes mean nothing. They are overridden by the !DOCTYPE declaration.
I want to create a simple webiste with only html pages. I am now including Header, sidebar, footer in every file, which is redundant. So, while looking for solution, I found <?php include, can help me. But my browser is not parsing php content. How can I make it parse php files in html?
Thank you
Since your goal is to create a simple HTML website, with static pages I don't think PHP is the best way to go.
You have two options:
Run PHP on your local computer to pre-process the files:
If you install PHP-cli (command line client), you can use it to process your PHP static pages. Redirect its output to a file and you have your desired output:
php-cli index.php > index.html
Use nanoc (ruby-based) to build your static website:
If you don't have a webserver with PHP enabled, I assume you do not have PHP as a requirement but rather found about <?php include('file') ?> while studying HTML.
With this in mind, I suggest you check out nanoc. It's a tool what uses ruby to help creating static HTML webpages, by providing ways to define a layout (what you're doing with PHP's include) and many other features.
It's quite simple to use and produces static HTML files that you can upload to any server or open with your browser directly and still enables many powerful features while developing your website.
You need to have PHP installed on the server that is running the website. You need to make sure you are naming your files with a valid php extension, e.g. index.php. Can you give us a link to your website where the issue is occurring?
When you enter www.example.com/test.php in the addressbar,the browser contacts the webserver at www.example.com and requests for the file /test.php. Now depending on how your server is configured, you web server will detect the type of the file (usually using the extension). In this case (since the extension is .php), the webserver will detect that the file is a PHP script and will invoke the PHP interpreter. The PHP interpreter will execute the script and generate HTML which is passed on to the web server. Now the web server will return the HTML to the browser.
PHP is a mainly (Yes, it is possible to run PHP within browser) a server side language
This means PHP is not executed in you browser, but on your server
Therefore, you need to have PHP configured correctly on your server to see the correct output
Even if you manage to configure PHP as client side language on your system, remember there is not even < 1% change of your user's browser supporting it.
You can only have webpages, and not website, without a web server
A website (also spelled Web site) is a collection of related web pages, images, videos or other digital assets that are addressed relative to a common Uniform Resource Locator (URL), often consisting of only the domain name (or, in rare cases, the IP address) and the root path ('/') in an Internet Protocol-based network. A web site is hosted on at least one web server, accessible via a network such as the Internet or a private local area network.
You need to have a web server set up with PHP running on it. PHP is an acronym for "PHP: Hypertext Preprocessor". PHP is processed on the server, rendered into HTML content, then sent out of a web browser to be viewed, but no web browser has the ability to processor PHP on its own.
Here are some resources to get you started:
PHP: What do I need?
Your First PHP-enabled Page
Your browser cannot interpret / parse php files.
If you want to test your site locally, you will need to install a local server like WampServer for windows or apache and php in linux.