Hiding PHP files on web server

Anon

Is there a way to place PHP files into a protected directory on a web server but still allow the user to execute them?

The site I am working on has a large # of PHP files that I use to create the site pages. What I don't want is someone to be able to just type in the URL of the .php page in the address bar and be able to view all the source code. This is a big consideration because the password to the sql server along with the path information is located in the source files as well.

Thanks,

Kablarg (M7_B5)

[deleted]

Simple: just put the 'protected' files in a directory outside the webserver's documentroot. Then other PHP scripts can still access them for 'include()' but browsers cannot access them anymore.

Anon

Vincent,

Thanks for the info. However I unfortunately don't have access to any folders outside the web root. The ISP who is hosting the page only gives me access to the folder for the web site and that's it.

Is there any other way? On some web servers you can create a folder with a _ as the first character of the name and that will make it private but that does not appear to work on their system. They are running apache as far as I can tell.

The only thing I have found so far is to rename all the .inc files to .php which will force them to be parsed and thus the user will get no source or display when the page is opened in the browser.

Thanks,

Kablarg (M7_B5)

Anon

Instead of parsing your .inc files just put a .htaccess file with the txt at this web address onto the folder that your inc files are in. works like a charm.

http://www.webdesign.zoneit.com/php/inc.txt

Anon

Eddie,

Sounds like a good plan. However, I have not used a .htaccess file before and cannot find any reference to it any of my books/manuals. Where can I find information as the format and operation of this file?

Thanks,

Kilgore (M7_B5)

Anon

its so simple that you can do it at first. just copy (add) that lines to your .htaccess file. thats all !

there is another way to protect your php files. change their chmod to 751 or 711. it means everyone can execute it bun only you, can type it.

you can use cuteftp or ftpvoyager to change your files permissions...

Anon

I was going by the understanding that there was no way the raw unexecuted .php files could be viewed by anyone's browser. When I type the direct URL for my PHP pages on my simple server, they come out executed as they should be.

Mind educating me in under what possibilities php source would be visible or downloadable from someone surfing to my webpage?

-Eric-

[deleted]

"Mind educating me in under what possibilities php source would be visible or downloadable from someone surfing to my webpage?"

It could happen when the ISP misconfigures the webserver so it cannot parse PHP code. In that case it will fall back to it's default way to handle files, and that is to serve them as txt files.

But more importantly, it is a shared host.
That means that any PHP script can include() or require() any other file in the documentroot (because the webserver has read access in it's entire documentroot). That means that user X can open PHP scripts from use Y and read them as he/she wishes. Ergo: zero security.

Anon

if someone is accessing to your files from browser, its not a problem. files will come executed. but there are other local users in same server. so they can read and copy your files, then. you have to chmod 751 all of your php files.