Can you download a PHP file

Redline · 11-23-2004, 12:22 AM

Without executing it? If so, how do you protect against it? Also, if I have other config files with database passwords, RCON passwords etc, how can I hide them?

DavH27 · 11-23-2004, 02:57 AM

db.php for example will not show anything unless you echo it.

db.inc is treated as a plain text and is viewable.

db.inc.php on the other hand is still a php file and is not viewable.

There are programs out there that 'cache' an entire website which would include one's php code. I just haven't researched intotwhat these programs are, how they work and hwo to prevent them from doing thier work.

What I ahve gatehred so far is they act like a spider, but there's no point in finding thier 'ROBOT' name to exclude it from your site as they have the option to 'disguise' themselves as something else such as a GoogleBot. In fact they don't even need to pay attention to a ROBOTS.txt file.

There are a few tutorials on preventing site caching and tightening php security, so my first suggestion would eb to consult Google

I believe you can secure passwords for db, etc by putting the file/s into a folder, something like your 'inc' folder then use Apache's htaccess to secure it.

idx · 11-23-2004, 06:25 PM

Simple answer: no. If the file name ends in .php (or any other applicable extension that PHP is set to execute for, php3, phtml, etc) then it will try to execute.

As Dave mentioned, there is the use of .inc which wont execute when viewed, but you typically don't want people viewing these files.

The best thing would be to place all of these config files outside the webroot, so there's no possibility of them being access via a browser. (only for php includes) Second to that, if you have to put them under the webroot then secure them via .htaccess. eg:

Code:

<Limit GET POST PUT DELETE>
    Deny from all
</Limit>

DavH27 · 11-25-2004, 03:12 AM

How do you 'reference' a php including function to a file that is not in the web root?

sde · 11-25-2004, 08:12 AM

what about just using one php file to highlight another file? people could copy and paste then.

http://us2.php.net/manual/en/functio...light-file.php

idx · 11-28-2004, 02:51 PM

Quote:

Originally Posted by DavH27

How do you 'reference' a php including function to a file that is not in the web root?

Say your webroot is /home/foo/htdocs .. Just put your stuff somewhere under /home/foo/ and it's out of the webroot. In some cases that's not possible, but it should be.

Then include:

PHP Code:


			
require_once '/home/foo/db/inc/config.php';

-r