Can someone steal my PHP script without hacking server?

by on May 2, 2007 · 13 comments· LAST UPDATED August 12, 2007

in , ,

Adarsh asks:

Can someone steal my PHP code or program without hacking my Linux box? Can someone snoop script over plain HTTP session?

Short answer is no. PHP is server side thingy.

However a misconfigured webserver can easily give out php file to all end users. You need to make sure that mod_php / mod_fastcgi loaded and correct MIME type is setup. To avoid such problem always test your server before moving to production environment. Most Linux distro configures both Apache and PHP out of box.

How do I stop downloading php source code?

The first step should be stopping a webserver.
# /etc/init.d/httpd stop
OR
# /etc/init.d/lighttpd stop

If you are using Lighttpd...

Next bind webserver to 127.0.0.1 for testing purpose. Open lighttpd websever config file and bind server address to 127.0.0.1
# vi /etc/lighttpd/lighttpd.conf
Bind to localhost/127.0.0.1:
server.bind = "127.0.0.1"
Start lighttpd:
# /etc/init.d/lighttpd start
Now follow these instructions to configure php as fastcgi module. Now test your configuration using url http://127.0.0.1/test.php. PHP should work on server. If not working, refer to server log file.

If you are using Apache...

Open httpd.conf file and bind apache to 127.0.0.1:
# vi httpd.conf
The Listen directive instructs Apache to listen to more than one IP address or port; by default it responds to requests on all IP interfaces, but only on the port given by the Port directive.
Listen 127.0.0.1:80
Start apache:
# /etc/init.d/httpd start
Now make sure php is installed use apt-get or rpm command to verify the same:
# rpm -qa | grep -i php
OR
# dpkg --list | grep -i php
If PHP is not installed just follow these instructions to install PHP. Next make sure httpd.conf or php.conf has following directives:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php

Note: the path may differ in your setup. Now restart httpd:
# /etc/init.d/httpd restart
A sample php code:

<HTML><HEAD>PHP</TITLE></HEAD>
<BODY>
<?php   phpinfo(); ?>
</BODY>
</HTML>

Finally when php started to work properly, make sure you bind back a server IP address from 127.0.0.1 to public IP address.

Another option is keep your source code out of webroot and server all php requests from php application server using mod_proxy and multiple back-end servers.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 13 comments… read them below or add one }

1 Binny V A May 2, 2007 at 11:30 am

One thing to note is the .inc files – many people use this extension when including files in PHP. But many servers give it text/plain(or similar) mime type. This is a huge security risk.

If your server is not configured properly, people will be able to get this file.

Reply

2 nixCraft May 2, 2007 at 11:59 am

Binny,

Good point, somehow I missed altogether about .inc files.

Appreciate your post!

Reply

3 oPx May 3, 2007 at 7:11 pm

Nice , never thought about it like that !

Reply

4 @be March 4, 2008 at 6:37 pm

Great advice for the beginner coder!

Using .inc for extensions isn’t the best way as stated above… Great work :)

Reply

5 Silver Knight February 2, 2009 at 1:21 am

One tiny little comment I have is that this last paragraph makes it sound as if one would be safe by serving all PHP requests from an application server via mod_proxy.

Another option is keep your source code out of webroot and server all php requests from php application server using mod_proxy and multiple back-end servers.

While this does indeed introduce another layer of security to the equation, it also introduces more complexity and therefore more possible points of failure. Furthermore, a misconfigured server behind the proxy will happily hand out PHP code just as freely through a proxy as it would directly, as the proxy pretty much just passes on whatever it gets from the servers it makes it’s requests to…

That having been said, this should not be an issue at all if people follow your good advice about testing it all on localhost (127.0.0.1) and configuring it correctly as you have so helpfully described in such clear detail.

Also, your advice to keep PHP code out of the webroot is very good advice indeed. Any important PHP code should be kept outside the webroot where the web server cannot accidentally serve it up as plain-text, and should be included using PHP include or require statements so that if something does happen to go wrong, then the worst that could happen is a totally non-essential file might get served up as text, but nothing of any significance would be at risk.

Thank you very much for posting this useful and informative post, as I am certain it will help many beginners out there. Keep up the good work… :)

Reply

6 Tanner January 28, 2011 at 5:16 am

PHP downloading files can make happen, too. Say you have a file called download.php, with pretty much no security, that downloads a file like this: “download.php?file=file.ext”. somebody could type: “download.php?file=../index.php”, or so.

Reply

7 Eni August 19, 2011 at 12:22 am

How about grabbing this php file ehh ?
facebook.com/login.php
any manner?
???????????????????????????????
:DDDDDDDD
please reply

Reply

8 fbpetition December 14, 2011 at 6:26 pm

please remove “Tanner January 28, 2011″ quotes … this is encouraging hacking … will complain to Google if not removed within 72 hours …..

Reply

9 NoNeedForAName April 20, 2012 at 11:38 pm

Kill yourself. Now.

Reply

10 MV May 31, 2013 at 4:15 pm

Listen you fuckquad, Google doesn’t run the Internet and last time I checked these are people’s posts. Don’t like it, go fuck yourself.

Reply

11 jin March 25, 2012 at 12:45 pm

fool
mr. Tanner is giving a tip of php programming its not hacking. hacking is much more then this

Reply

12 Tom May 8, 2013 at 8:18 pm

Another factor to consider is backup files. If you edit files on the server some editors are configured to save a backup copy in the same directory with a ~ or # character appended to the filename. These can easily be guessed and will be served as plain text by the web server.

Reply

13 LessEvil January 23, 2014 at 12:40 pm

Please dont use bad words…..My 10 Year old daughter reads this stuff !

Reply

Leave a Comment

Tagged as: , , , , , , ,

Previous post:

Next post: