Is there any way for some burgler to download your PHP file? For example, if I have my MySQL passwords in my PHP file, will someone be able to somehow get that password by looking into the PHP file?

put them above the public_html (or www) directory. also, read these:

http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html
http://www.sitepoint.com/article/php-security-blunders

This is from the sitepoint website:

An extremely malicious user could append ";rm -rf *" to the year value and delete your entire Website!
I don't get how adding those when filling out a form could wipe out your website. Isn't that a stupid flaw in PHP?

This is from the sitepoint website:

I don't get how adding those when filling out a form could wipe out your website. Isn't that a stupid flaw in PHP?

No, it's because you are using the highly dangerous exec function using unvalidated input. The exec function executes system commands. On UNIX-like systems such as Linux, issuing the command rm -rf * will force-remove all files in the current directory, thus deleting your entire website.



$month = $_GET['month'];
$year = $_GET['year'];

exec("cal $month $year", $result);
The $month and $year variables are received through the GET querystring. If these are numbers, the string "cal $month $year" will evaluate to for example "cal 12 2006", which is fine and will work. But if your user inputs ; rm -rf * as say the year value instead of your expected number, the resulting command will look like this:

exec( "cal 12 ; rm -rf *" );

In UNIX systems, the ; serves as a seperator between commands. Therefore it will first execute cal 12, and then rm -rf *, which will effectively delete everything inside the current directory and its subdirectories.

You'll see that they can issue any command. They might even mail your server's password file to themselves, run a basher on it and grab yours. You're giving them full shell access, which is definitely not something you want to happen.

Thanks. That was very useful info.

How about if I want to save some secret algorithms in a PHP file and have a SWF read from that? Is it safe? Can nobody directly download a PHP file? Can they only download the PHP file through some loopholes like that exec command?

No, that's definitely not safe. SWF is a very open format, meaning that it is easy to decompile it and find out what your SWF is reading from. If your SWF can, then other people can too. You shouldn't be doing anything secret in SWFs, because you simply can't keep it a secret.

PHP files cannot be downloaded in a way that they are first parsed and run by the server before they are served. That means that your users are actually downloading the output of the PHP file, and not the source code of your PHP file as it exists on the server. There is no way to bypass that. However, if your server access is compromised (for example, because your FTP info gets stolen), people will be able to log in to the server using your FTP account and download the source file. That's why it's important that you keep all your login info safe.

In general, MySQL login info that you placed in a PHP script is safe from prying eyes from the outsides, because your script is parsed and run before it is served. However, if your PHP script for some reason does not have the appropriate extension (and is therefore not recognized as a PHP script by your server), then it will not be parsed and it will be served as is; that means, the source of your script, and then you have a problem. Just make sure that you always use the correct extensions for your PHP scripts: .php.

It's advised to, if possible, move all files that contain sensitive information such as database logins outside of your publically accessible folder at all times, and include them in your publically acessible scripts. Not only does this make sense, it also helps as a safeguard against accidental extension renames. Even if your sensitive-information-holding script gets its extension changed, it still won't be accessible by anyone because it's not directly accessible.

The exec example in the article you've read is a worst-case scenario. The security hole that the example illustrates is about as big as they get. It illustrates how dangerous the exec command can be in unexperienced hands.

I didn't know that there were both private and public folders. Can that be set up easily on typical cheap hosts like www.1and1.com ?

Private folders are those outside of your public_html folder. public_html typically is the folder from which the web server will serve its content. Anything outside that folder will not be served and is therefore inaccessible by people visiting your site. PHP however is capable of accessing those folders and the files inside it. This allows you to include scripts that are outside of your public_html folder in your public scripts.

DDD just told me that he has a folder level above public_html. So that means, yes, 1and1 allow for you to use them. Whether they're easy to set up I'll leave in the middle, but I imagine it's the default setup.

1and1 shares its folders... its wierd... basically you don't have any folders like that... i've had 1and1 for a good year or 2 and i've never seen it before. Basically for a user to get your PHP files you have to miscode something.

In most situations when using PHP and flash you can allow PHP to do all the important calculations on its side and output only what the user sees to them. Plus algarithms that are sometimes advanced are ran significantly faster on server side.

Just know the instant that a user is able to get to 1 php file they can get to everyother on the server if they so choose.