Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
Is there any way to get the source file of PHP like you would for HTML file or javascript from web browser alone? If so how? If not why?
No, this is not possible. Server-side languages are meant to be interpreted and run before the output is sent to the browser.
Of course. But only if the web server is configured to return just the file and not interpret it first. Most web servers hosting PHP files aren't configured this way.
In order to read PHP source code on a remote server, the user needs to find and exploit a remote file disclosure vulnerability. These most often occur in the application its self and can be detected by using a web application vulnerability scanner like w3af.
MySQL based sql injection can be used to read files using the load_file() function as described here.
It is possilbe that the httpd can be vulnerable to a source code disclosure attack, such as this one in IIS.
Only if the web server happens to fail. Otherwise no, because all code is executed on server and only it's result are being send to browser.
There is a way to do this - but you have the web server needs to be setup to serve ".phps" as text/plain as I've done to demonstrate code examples from my web server. However, if you're trying to poach code from a website running php it's really not possible. Not from the web browser.
No, it would pose a massive security risk with MySQL passwords and other sensitive data.
<?printf($f='<?printf($f=%c%s%c,39,$f,39);?>',39,$f,39);?>
so, yes.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I'm searching for a means to overpass the need for a web server when using a local web application. Why aren't there browser extensions or special browsers to do so? It seems very easy to code to me. The browser or extension would call a php interpreter to compose web pages from php files. Local urls (file:///) would be used. No web service or port would be necessary. Is this just nonsense? Or am I the first person to think about this? In fact, this does already work with static html files.
First edit: I was looking for a server for testing purposes, being able to compose output from php files, without the need to communicate through network ports. Maybe I should have started from here, but Stackoverflow does not allow this kind of posts.
That sounds nice, please go ahead and build that technology. I will also use it. But oh, for now that has nothing to do with SO.
Why web servers are needed even for local web application
Because they are web applications. Technically you don't need a web server for local stuff if all your application code relies on client side programming. You can just go ahead open your html files in browser.
Browsers know how to interpret client side code already, so why re-invent the wheel? If you ever wish to write 1 line of server side code then obviously you'd need a web server at that point.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have a question about exploiting a php server.
If I restrict all write access to the file system which the web server is running on. What kind of possible exploits can be run to gain access to the server?
And of course the server is running as a standard user.
Can this be regarded as a secure server then?
If an exploit exists that can give the hacker root access, then no amount of permission settings will stop him writing to the file system.
I don't know of any root exploits in PHP or Apache at the moment, but that's not to say they don't exist.
In addition, if the PHP program calls any external programs (via exec(), system(), etc), then those programs also pose the same theoretical risk. And if the PHP program uses eval() in an insecure way, then the attacker could theoretically call any program on the system, again with the same level of risk.
However, his kind of attack is relatively rare; most hacks against PHP software tend to be database attacks, because that's often the weak point in the program code, and also often offers better rewards to the attacker than a file system hack.
Of course, if the entire file system is write protected, then the DB won't be able to make updates either, which would prevent some kinds of DB attack (but would also likely be a problem for your normal DB usage). But a database attack could be in many forms, from simply reading the user passwords to inserting malicious data into the DB, and not all of them require write access. So write protection only goes so far to help you here.
Depending on what you mean by "restrict all write access", you may also have problems with software that expects to be able to write to the file system, including Apache, which writes a log file of activity. Not being able to write to this may be okay for Apache, but it will seriously impare your ability to work out what happened when an attack does occur.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I do quite large project for a client and I would like (somehow) to secure code form event that mid dishonest client was not going to pay me for the work. :)
The contract is written that the project must provide application with a sources.
So far I mostly been writing in .NET where I was protecting myself against such an eventuality in way that I was creating class witch get POST some parameters with shutdown application. This class was thrown into a dll witch was already compiled, so no one could change the source.
Is there a similar possibility in PHP? I can do the same thing (as in .NET case) but clever customers with access to PHP can find above class and I just cut it.
Maybe it is some other way to secure myself?
Suturing of the database also eliminated for similar reasons as above.
PHP is an interpreted language; as a result, it doesn't compile your code. Your best bet is to stick with .NET, where you can compile the functional part of the application into a .dll, or use Java and compile it into a bytecode.
PHP wasn't built for compiling.
What you can do is probably host the application on your server till the client has made a payment, and then upload it to the client's server.
Or you can make it downloadable from your server (only after payment), along with configuration scripts that is configurable by anyone with a few clicks of the button; something similar to the way some of the PHP frameworks (e.g. WordPress) work.
You can protect your code with Zend Guard (http://www.zend.com/en/products/guard/).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Is there any way to download Torrents from the Linux command line and invoke such a program from a PHP process? What a program do you suggest and what is the proper PHP code to start the download, fetch the progress, and terminate the download progress?
An example of a service which converts Torrents files into direct download links:
http://put.io/
If you have the right to do it (you have ssh access)
install a bittorrent client
http://www.cyberciti.biz/tips/linux-command-line-bittorrent-client.html
then make a php script in which you call
exec("/path/to/bittorrent/client/bin/bittorrent-curses 'http:://www.torrentsite.org/file.torrent'");
This will start the download.
This is an example you have to "study" a bit to let this working well. And, as I said before, you need ssh access to your webserver and the possibility to install new stuff, moreover I'm not really sure about this kind of connection are forbidden or not to a shared/unmanaged web server.
The best think is to have your local webserver online, so you can install whatever you want and do whatever you want. But in this case what suggested Matt Williamson is what you are searching for..
To do what you would like you would need to implement a bittorrent client in php which afaik does not yet exist. The bittorrent protocol isn't the most intuitive either and I really wouldnt recommend attacking it without a good prior understanding of it. On the other hand something very close to your goal:
you can either use a CLI client from your webserver ( rTorrent for example ) and have it run in the background / detached session ( gnu/screen or nohup )
you could use a client that comes with a web interface and simply control you torrents from the webui ( for example Deluge http://en.wikipedia.org/wiki/Deluge_%28software%29 )
Cheers
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 10 months ago.
Improve this question
Just started learning Php on my own, and got stuck at the beginning. This is the code I was compiling:
<?php
echo "Hello world!";
echo 6+2;
?>
The problem is that the Php portion isn't displayed in Firefox. Why? Firefox ver. 7.0.1., I am using NetBeans 7, with cygwin.
You said you're accessing the file directly like file:///C:/xampp/htdocs/PhpVjezba1/test1.php
Don't do that, access it via http://localhost/PhpVjexba1/test1.php, provided you have a server installed.
Click Here
Most likely, you haven't installed php on the server yet. Unlike JavaScript and HTML, php is interpreted at the server, and that requires
a webserver (like apache)
a php runtime
php to be configured
The documentation's installation chapter explains how to install php. There are also third-party distributions like XAMPP that try to simplify the installation process.
In the comment you have the problem. You cannot access the file directly.
Start the webserver and run the file "http://localhost/file.php" then the file should work.
Probably a stupid question, but are you running PHP from web server or actually trying to run the file directly in browser?
PHP is never displayed in any web browser, it is executed on a web server, and is used (somewhat) to produce html that is displayed to you're web browser.
Do you have a local browser such as wamp?
Does the output display in other browsers?
Does your page have the .php extension and is your server set to handle php?