Is it possible to hide the .php file on the server...?
I have a website which sometimes calls php files inside iframes, now I wouldn't like it if somebody copied that code, so how would I hide it?
Or do I have to encrypt it?
Speed is a huge matter in my case, so anything that doesn't affect performance is appreciated!
Thanks
With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.
So, in other words, if you visit your website and you see a HTML page and not PHP code, your server is working correctly and no one can get to the PHP code.
Which code? Your PHP source code? The only code a user see is your html code, PHP is processed on the server side!
If your php-files are parsed by the http server, nobody can get them.
If you're still paranoid after the assurances provided here, you can make your code much more difficult for someone else to read by "obfuscating" it (Wikipedia link).
If you Google "php obfuscator", you'll find tons of PHP obfuscator products, many of them free.
Some examples:
PHP Obfuscator
Code Eclipse
Professional PHP Obfuscator/Encoder
Obfuscation does not affect performance. Only readability for humans.
If someone access a php file on your site all they will see is the code output by the PHP script (e.g. any HTML, or Javascript) - they won't see the source for the PHP page itself (and will have no way to access it).
If you are concerned about them seeing the output (e.g. the HTML the PHP script generates) from a practical point of view, there isn't anything you can do about that (the most you can do is obfuscate it, but that is largely pointless).
I have a website which sometimes calls
php files inside iframes, now I
wouldn't like it if somebody copied
that code, so how would I hide it? Or
do I have to encrypt it?
No, that makes no sense and would not work. You have to realize that the PHP code is executed on your server to serve a HTTP request, and that the iframe results in a separate HTTP request from the main page.
If you want to prevent others from including the iframe in their own page, you could check the referrer header and have the iframe page show an error if the referrer is not from your site, but that could cause problems for some legimitate users and can also be circumvented.
Alternative solution: do not use iframes; instead, integrate the PHP code that currently displays the iframe's content in your main page. This will work for all users and cannot be circumvented.
Of course, you still can't prevent others from requesting your page, extracting the content from the HTML and displaying it on their page - that's just how the internet works.
Put your important files like passwords login etc into a folder outside the web folder. E.g. under C: you can set this include path in php ini file. Then you are pretty safe. Definitely you should store your mysql access code outside the htdocs folders. I think The php code is "includes". So check yourself. Good luck
Related
Is it possible to hide the .php file on the server...?
I have a website which sometimes calls php files inside iframes, now I wouldn't like it if somebody copied that code, so how would I hide it?
Or do I have to encrypt it?
Speed is a huge matter in my case, so anything that doesn't affect performance is appreciated!
Thanks
With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.
So, in other words, if you visit your website and you see a HTML page and not PHP code, your server is working correctly and no one can get to the PHP code.
Which code? Your PHP source code? The only code a user see is your html code, PHP is processed on the server side!
If your php-files are parsed by the http server, nobody can get them.
If you're still paranoid after the assurances provided here, you can make your code much more difficult for someone else to read by "obfuscating" it (Wikipedia link).
If you Google "php obfuscator", you'll find tons of PHP obfuscator products, many of them free.
Some examples:
PHP Obfuscator
Code Eclipse
Professional PHP Obfuscator/Encoder
Obfuscation does not affect performance. Only readability for humans.
If someone access a php file on your site all they will see is the code output by the PHP script (e.g. any HTML, or Javascript) - they won't see the source for the PHP page itself (and will have no way to access it).
If you are concerned about them seeing the output (e.g. the HTML the PHP script generates) from a practical point of view, there isn't anything you can do about that (the most you can do is obfuscate it, but that is largely pointless).
I have a website which sometimes calls
php files inside iframes, now I
wouldn't like it if somebody copied
that code, so how would I hide it? Or
do I have to encrypt it?
No, that makes no sense and would not work. You have to realize that the PHP code is executed on your server to serve a HTTP request, and that the iframe results in a separate HTTP request from the main page.
If you want to prevent others from including the iframe in their own page, you could check the referrer header and have the iframe page show an error if the referrer is not from your site, but that could cause problems for some legimitate users and can also be circumvented.
Alternative solution: do not use iframes; instead, integrate the PHP code that currently displays the iframe's content in your main page. This will work for all users and cannot be circumvented.
Of course, you still can't prevent others from requesting your page, extracting the content from the HTML and displaying it on their page - that's just how the internet works.
Put your important files like passwords login etc into a folder outside the web folder. E.g. under C: you can set this include path in php ini file. Then you are pretty safe. Definitely you should store your mysql access code outside the htdocs folders. I think The php code is "includes". So check yourself. Good luck
I know they can't if it's a .php file but if it is in tags inside a .html file?
I couldn't find any info on this on google so I had to ask here.
As people have stated in the comments they cannot see your code as long as the server is configured correctly.
However, many web servers will eventually have their configuration files edited which from time to time will cause an error that would leave your code visible until fixed. If you have somewhat sensitive material in your PHP code (such as an API key) then you might consider issues such as the following:
Store sensitive code in an area that your web server won't provide direct access to.
Use an appropriate include method to get access to sensitive code without putting it directly into a web page.
Sadly I have run into a very big problem. I noticed that on a website (not mine anyway) there was a file with avery long obfuscated string (over 70.000 chars) with this:
eval(gzuncompress(base64_decode("CODE")));
I wanted to deobfuscate it locally on my PC but finally i decided to use the lazy way using one of the many online deobfuscator tools. As soon as i clicked on "Deobfuscate" i was able to see the output just for a few seconds. From that moment it seems that i can no longer access to pages where online deobfuscators are hosted. For example i can't open this page (Connection Aborted) even if i can properly browse all other pages:
http://www.whitefirdesign.com/tools/deobfuscate-php-hack-code.html
It's like if all these tools get banned from my PC on every browser and user account. Only few of them are still accessible like MobileFish:
http://www.mobilefish.com/services/eval_gzinflate_base64/eval_gzinflate_base64.php
But no one of them is able to process my requests. It's like if this php script is a pure devil. I suppose that my PC has been compromised in some way since i can't open some particular websites even if both MalwareBytes and Avast can't find anything wormy. Any ideas? What this script does?
http://pastebin.com/yf6R1rVK
The code has been put there through some sort of other vulnerability on the site. Here's the deobfuscated PHP, run at your own peril. It looks like some sort of shell which would allow attackers to run certain commands/farm information on the server it's hosted on
https://gist.github.com/jtylr/4fd6240ddcd046e62535
The code has been encoded and compressed, base64_decode() decodes the string, gzuncompress() decompresses it and eval() (see: evil) will then run the string.
I've run into some malicious code before that was injected into some vBulletin forums I was responsible for. Generally this malicious code is executed on the remote machine by being dumped onto the box as a bunch of bites, and then set up to be decoded, decompressed, and evaluated as suggested by that line you have.
It could have done anything.
Perhaps check your machines' host file and see if there are any strange entries that may prevent you from visiting those web pages.
C:\Windows\System32\drivers\etc\hosts
(Assuming you are on Windows. Look for anything suspicious in there and remove it.)
Could also be something in there preventing your anti-virus software from running, or it may be that no actual viral loads were delivered and that you've simply had your host file rewritten.
I doubt you are infected. The code is some kind of shell, that is certainly bad news for the site you found it on, but the simple act of viewing the code string wont effect you.
You can see the deobed code here: http://pastebin.com/QDvnAzZw
What i expect has happened is that your antivirus software scans webpages as you visit them, and recognized the deobed code as malicious, thus cutting the connection to the site.
I imagine the site is then flagged as malicious by your antivirus, thus blocking later attempts to visit it.
If i am correct, you probably wont be able to see the pastebin page linked above.
The solution is specific to your AV program.
here is the decoded malicious code (this link is a tiny paste , don't worry)
First rapid investigation (i didn't decode the python part) seem to try open backdoors in wordpress & joomla admins.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
Is it possible to view the PHP code of a live website ?
No, as it is interpreted on the server-side and the results are sent to the user. If you want to view the source code of a site you control in-browser, consider the FirePHP extension for Firebug, or just access your site files with your preferred method.
Usually, no, as others have said, unless of course this is something you want to be the case. Then you can set it up so that using .phps (or any other extension really, but this is the norm) will display the source code of the page (with syntax coloring I believe). Something like:
AddHandler application/x-httpd-php-source .phps
in your apache configuration should do the trick.
Note, you will need to save your .php files with a .phps for their source to be displayed.
Everyone is wrong! Yes, it is possible! But if you do see the code in your web browser then this would be a serious security breach or some major trouble in the web server. I've seen it happen once, where some dumb administrator had removed the PHP extension for IIS thus the browser provided all sources as text files instead of executing them.
Then again, there is an alternative method, which is through FTP. Most websites give access to their file system through FTP, so administrators don't need physical access to the system. You will need to know username and password, plus the FTP address to get access, but once you have this information, you have access to the whole site. Useful for administrators, yet also a very good reason to be very careful with passwords.
Current Page add to php code:
http://php.net/manual/en/function.show-source.php
<?php show_source(__FILE__); ?>
Do you have access to the files on the live server? If so yes, otherwise no, it is only possible to see the result of the script execution.
No, unless the server admin screwed up.
Not if PHP is configured properly.
PHP is served already interpreted to the visitor.
Seeing the PHP code on a live website would be considered hacking which is probably outside the ethical scope of stackoverflow.
You can't do that.
Because the server side script (here PHP scripts) execute on the web server and its output is embedded inside HTML which is then thrown back to your browser.
So all you can view is the HTML.
Just imagine, if what you asked was possible, then evryone would have the source code of facebook, flipkart in their hands now.
There are a few sites that allow you to view their PHP source. Try googling for inurl:viewsource.php (my site should turn up in there somewhere :)).
Also you can view php.net's source: http://www.php.net/source.php?url=/index.php
check out php://input and php://filter/convert.base64-encode/resource=<filepath>, eg. http://level11.tasteless.eu/index.php?file=php://filter/convert.base64-encode/resource=config.easy.inc.php
The only NORMAL way to view PHP source code sitting in some file is to use phps extension, instead of normal php extension. If you make the file extension .phps, decently configured server will output a color-formated source instead of generated html that one would expect. Any other scenario than this one is considered a BIG flaw and the one behind should - panic.
No, it's not possible as this is considered as security breach