Adrian Ciutureanu pressed the little lettered thingies in this order...

> Here is something that happend to me: I forgot to tell Apache that .inc
> files must be parsed by PHP. All works fine if you include a .inc file, but
> if somebody guess .inc file name, he can see the content of that file!
> 

If this is a concern, either name your include files with a valid PHP 
extension (i.e. ".php") or add the following line to an .htaccess file:
AddType application/x-httpd-php .inc
This will make the web server treat your .inc files as though they were 
PHP files and the source would be parsed rather than shown when 
accessed through a web browser.

> > -----Original Message-----
> > From: David A Dickson [mailto:[EMAIL PROTECTED]]
> > Sent: 4 iulie 2001 16:43
> > To: php-general
> > Subject: [PHP] Security of PHP code
> > 
> > 
> > Is it possible for others to view the php code for pages I 
> > have written? I thought I heard someone say before that they 
> > could write a simple script to accomplish this. If anyone 
> > knows of any tacticts people might use to attack my code 
> > please post them hee.
> > 
> > : David A. Dickson
> > : [EMAIL PROTECTED]

Anyone who has access to the server on which your server is hosted 
can view the source of your site by using the show_source() or 
highlight_file() functions unless your hosting provider disables those 
commands.

It doesn't really take a "simple script," just a simple function:
<? show_source("/path/to/your/file.php"); ?>

To make matters worse, most hosting providers fail to chroot jail logins 
(a chroot jailed login cannot traverse the directory structure UP from its 
own home directory). This common, but poor policy allows anyone with 
access to the same server as yours to view your files through the shell 
or even download them by FTP.  They may not overwrite your files, but 
they CAN view them.

There are two solutions if this is an important issue to you:
1) Get a dedicated server.  This is kind of spendy, but accomplishes the 
goal.
2) Only do business with providers that will (even if you have to request 
it) disable these commands AND chroot jail all logins.

Have fun...

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs

For a good time,
http://www.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to