I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".
No, unless
There is a server misconfiguration
There is a bad echo/include somewhere
No. Unless you're echoing it to them under where you're actually using it.
Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)
Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.
If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find.
Consider:
fopen('reports/' . $_GET['blah']);
where the user passes in '../index.php'
No, but you should take all measures to prevent it.
You should always set your sensitive code (heck, why not all?) in a directory bellow your server working dir (say /www), that way if the server gets messed up, it wont be able to show your code to the world because that code will be included by php that is not working in the first place.
If you have your webserver set to serve instead of parse your php yes. But then the clients wouldn't work. So the barring any security holes, answer is no.
No. Assuming you've installed a L/UAMP server properly, or aren't printing out (echo, print_r, etc.) and of the guts of your code, the PHP will be processed and the logic or HTML it's meant to output will be used on the page, not visible.
N.B. If there isn't an 'index' in a directory or a proper .htacess file, an Apache server will show a list of files in the directory, which can be downloaded and reviewed.
One mistake for it to happen is to paste a php tag inside a php string, example:
$string = "This is the answer: <s><?php echo $answer; ?></s>";
echo $string;
The person did a Ctrl+C and Ctrl+V of something that should be printed along the string, but the coder forgot to remove the php tags by distraction.
Related
Gone through related posts and found turning allow_url_include will does the trick. However when I did this :
remote file file.php at http://www.courierscripts.com
$content = file_get_contents('http://www.courierscripts.com/folder/file.php');
on my functions.php, was not able to use the functions of file.php. I also don't want to change my file.php to file.txt because everyone can see it.
Any other way?
If the file is on the same server, use absolute or relative path to it, not an url. Otherwise:
Short answer:
No, it's not possible.
Long answer:
Actually possible with conditions but I bet you won't like them.
It's obviously impossible if you don't have access to the target server (otherwise storing passwords in php config files like Wordpress does would be just one big security flaw).
First of all, file_get_contents returns a string. So you could eval it, but eval is very bad (you can search SO for the clues why).
OK, suppose you agree to eval what's coming from that server even after considering that someone might change the code and do whatever he wants on your machine. BUT you make an http request that is handles by the server (Apache, Nginx or whatever else).
The server knows that *.php files should not be handles as static files. For example, fastcgi. You can turn that off, for example, with RemoveHandler in Apache. But that would let everyone see the source code of files you expose this way.
So, after removing handlers and evaling the result, you could get the result. But be ready that someone you work with will punch you in the face for doing that ;)
UPD
For code sharing, use Composer to create a package and use it as a dependency.
Problem Description in Brief:
PHP script seems to work on my local web server when I 'include' it from the footer tag of my index.html file, but does not work when I upload it to my website. Note that I have made sure that all paths are correct, and that the script file has its own php tags, etc.
Problem Description in Detail:
Yes, I am new to PHP scripting, and yes, variants of this question have probably been asked before. The answers to a few of the questions I have read have noted the path of the php script files to be incorrect. I have checked all paths and confirmed that they are indeed correct (including those on the web hosting server). Furthermore, I have been successful in getting the script to work on my local server running Apache2 with PHP5, but have not been successful when uploading it to my website.
Essentially, I am trying to implement a hit counter script which I have acquired from a Stack Overflow post labelled Visitors counter for simple web sites like Vinaora. The code that invokes the php script looks something like this....
<footer>
<!-- Execute Hit Counter Script -->
<?php include($_SERVER['DOCUMENT_ROOT'].'/php/hitcounter.php'); ?>
</footer>
For the likes of me, I cannot figure out why it does not work on the web hosting server. I have tried other combinations of invoking the script like,
<footer>
<!-- Execute Hit Counter Script -->
<?php include('./php/hitcounter.php'); ?>
</footer>
and,
<footer>
<!-- Execute Hit Counter Script -->
<?php include(dirname(__FILE__).'/php/hitcounter.php'); ?>
</footer>
All combinations seem to work on my local web server, but not on the website! Also note that, I have no problem invoking other PHP scripts using other methods (even on the web hosting server), eg.
<form id="form-query" onsubmit="this.checkValidity();" action="./php/contact.php" method="post">
Any advice/suggestions would be appreciated.
Do you get any PHP error?
First of all, you need to activate error reporting.
Put this before including your file
ini_set('display_errors',1);
error_reporting(-1);
PHP should tell you what's happening.
If you don't see anything, change the filename index.html to index.php and try again.
Maybe be you have used "\" in your include path
Wrong:
<?php include 'includes\header.php'; ?>
You should use "/" to work.
Current:
<?php include 'includes/header.php'; ?>
sometimes it might be dues to casing. check if you you uppercase in naming. on some servers Index.php is not equal to index.php
You might try pasting the "include" code directly into the calling code. Maybe it's the included code itself that's misbehaving...
You are doing completely incorrect thing in the first place.
PHP script seems to work on my local web server when I 'include' it from the footer tag of my index.html
is just totally wrong
There is no such thing as embedding php file within html file (aside from mod_rewrite ...).
For PHP script to be interpreted you must have it (in 99% of cases) with php suffix. This way you allow PHP to distinguish it from regular PHP and send to php interpreter.
Put simply - create this file (a.html):
<body>
abcd<?php echo 'efgh';?>
</body>
and see the result in your browser - use .../a.html
What do you see?
abcd
and not
abcdefgh
On top you always have to have php not the other way around. Solve this or update your question if incorrect.
Short version: How can I relocate to C:\Abyss Web Server\htdocs\database\pfs\max\files\public\sdf.png using header()?
Thorough version:
Currently I'm stuck with this piece of code:
header("Location: ".ROOT_URL."\database\pfs\\".$_GET["u"]."\\files\public\\".$c);
(Not completely in context, but it's not needed in this case, since I've managed to track the cause on my own).
$c is the filename, declared in context, and $_GET["u"] is the "owner's" name. ROOT_URL is defined as: define("ROOT_URL", "file://\Abyss%20Web%20Server\htdocs");, which simply is the path to the server directory (I've also tried with define("ROOT_URL", "C:/\Abyss%20Web%20Server\htdocs"); , but there's no luck there either). Anyways, with this, I want the user to be able of downloading uploaded files by $_GET["u"]. The problem is though, that I everytime get a 404 error... And, from experimenting a bit, I've come to the conclusion that the header() function isn't handling the redirect well.
Not sure why this is happening exactly, but I assume that it has something to do with file:// or c:/. My server is currently hosted locally, and therefore I need to use these methods instead (for so long). Answer would be highly appreciated, as I've been stuck with this for a while now...
If it is a local file system link, you need to prepend the file:// protocol prefix:
header('Location: file://C:\\path\\to\\file');
If you omit that, the client (browser) will interprete it as http://C:\\path\\to\\file
So I have two copies of exactly the same project. The configuration of the servers is the same. The script has to write some data to database and then redirect the user to the appropriate page with the header() function depending on the data written to the database.
It works fine on the Linux server, though in Windows it tries to redirect first, and then write to the database, which, of course, doesn't work, because there's no data written. If I comment out the header() function in the Windows version, it writes to the database, but doesn't do the redirection.
How can two exact scripts work so different?
Edit:
I'm not sure how do I show the code, since there's so much of it and it's so scattered. But basically, it's just a function that sets the header() and then the function that writes to db. And when it redirects, it should select the data that was written to the database and display it.
That's a very simplified version of it. Bear in mind, the header is set BEFORE the writing to the database. I believe this to be the culprit, but I didn't write the code, and I can't change the architecture of it, since it works perfectly on 2 Linux servers, I just don't understand how. I just need to make it work on the Windows server.
It makes the redirection ok, I mean it sends me to the link that it should send me to, but it doesn't write to the database. But it I comment out the header() part, it writes to the database, but doesn't make the redirection.
Try adding an if statement like this:
if(mysql_query('...') && mysql_affected_rows()){
header("Location: redirectScript.php");exit();
}
Hope this helps...
The documentation for the header function states the following:
Note:
HTTP/1.1 requires an absolute URI as
argument to ยป Location: including the
scheme, hostname and absolute path,
but some clients accept relative URIs.
You can usually use
$_SERVER['HTTP_HOST'],
$_SERVER['PHP_SELF'] and dirname() to
make an absolute URI from a relative
one yourself:
Are you using a relative URL? It's possible that LAMP likes a relative URL more then WAMP does. It is a simple test, so worth a shot.
For some reason i've only got it to work on WampServer and with PHP 5.2.4
I have an index.html in my wampserver www directory. On this html, there is a link for a user to upload file. When I hit the link, I select files to upload but instead of the uploadmanager.php which i have tested in my eclipse debugg environment to work, it displays the some part of the code on the web page without doing anything thing. This is not what I expect. Can someone please tell me what is wrong? Thank you.
sound like you are using php-short-open-tags (<? instead of <?php) without enabling this in your php.ini. change your php.ini or use the standart open-tags to solve this.
Are you sure you enabled PHP in WAMP?
Try creating a new uploadmanager.php file directly in wamp/www (or whatever subdirectory) and paste the code from your tested uploadmanager script into the new file. Then try to run it in WAMP.
I think it is a permissions problem. I copied an index.php file into a c:/wamp/www/subdirectory and it only displayed the code. Once I created a new index.php file and pasted the contents of the old file into it, it worked perfectly.
Are you posting to the uploadmanager.php page? Are you getting an error or just seeing the code? Can you post the code from the index.html page that handled the form and the part of the php code you're seeing for us to look at?
Every now and then I have Apache serving the .php as downloadable files instead processing them on the server, but only with random requests.
Some reasons, why this might happen, are
PHP misconfiguration
PHP-files in a directory without execute rights
wrong content type sent
timeout from script execution
In my situation the last bullet is the most dangerous, but luckily it seems to show up only immediately after modifying some of the .php files. I haven't tracked the problem any deeper yet, but it seems to relate some filesystem level operations (as the disk I/O is a bottleneck) and presents itself only in testing env.