PHP Security

kaen

Is there anyway to make it so that non-PHP users do not see the PHP code?

Furthermore, is there a way to prevent other people from making forms and using the scripts from my page? How do I make it so only MY website can use those scripts?

superwormy

PHP is server side, so PHP code NEVER gets sent to a user. PHP generates HTML code ( or images, or XML, or whatever ) and sends that to the end-user/browser instead.

So you don't even need to worry about either of your questions.

'Non-PHP users' will NEVER see your code unless you explicitly allow them to, and no one else can use your scripts and forms unless you explicitly allow them to.

kaen

I think if someone placed my script as an action to their form on an outside website, it would work. I heard about PHP's safe mode, but I don't know how to utilize it because I don't have access to my PHP.ini.

TheDefender

kaen, you probably want to check the refering page on all of your form posting scripts to make sure the posts came from your domain, or from pages you specify, and if it didn't, then just don't allow the scripts to run (Your premade scripts that is).

Just look in the PHP manual to see which global variables you need to use...

Either way, like superwormy stated, you should be fine anyhow. The thing you need to concern yourself with is people trying to pass usernames and passwords to your scripts if your php.ini has the Register globals option turned off. Just search these boards for "Register Globals" and you will find tons of discussions about that and the security implications.

superwormy

Ah, I misunderstood you about someone submiting to your script via their own form / website.

But in any case... it doesnt' really matter, as there is no way to avoid this. The HTTP_REFERER var is really the only way to check, but if someone really wants to, its WAY easy to fake the HTTP_REFERER to be whatever they want it to be.

Bottom line, code safely and check usre input and you wont need to worry about other people submitting to your site anyway.