Can someone steal my PHP script without hacking server?
Adarsh asks:
Can someone steal my PHP code or program without hacking my Linux box? Can someone snoop script over plain HTTP session?
Short answer is no. PHP is server side thingy.
However a misconfigured webserver can easily give out php file to all end users. You need to make sure that mod_php / mod_fastcgi loaded and correct MIME type is setup. To avoid such problem always test your server before moving to production environment. Most Linux distro configures both Apache and PHP out of box.
How do I stop downloading php source code?
The first step should be stopping a webserver.
# /etc/init.d/httpd stop
OR
# /etc/init.d/lighttpd stop
If you are using Lighttpd...
Next bind webserver to 127.0.0.1 for testing purpose. Open lighttpd websever config file and bind server address to 127.0.0.1
# vi /etc/lighttpd/lighttpd.conf
Bind to localhost/127.0.0.1:
server.bind = "127.0.0.1"
Start lighttpd:
# /etc/init.d/lighttpd start
Now follow these instructions to configure php as fastcgi module. Now test your configuration using url http://127.0.0.1/test.php. PHP should work on server. If not working, refer to server log file.
If you are using Apache...
Open httpd.conf file and bind apache to 127.0.0.1:
# vi httpd.conf
The Listen directive instructs Apache to listen to more than one IP address or port; by default it responds to requests on all IP interfaces, but only on the port given by the Port directive.
Listen 127.0.0.1:80
Start apache:
# /etc/init.d/httpd start
Now make sure php is installed use apt-get or rpm command to verify the same:
# rpm -qa | grep -i php
OR
# dpkg --list | grep -i php
If PHP is not installed just follow these instructions to install PHP. Next make sure httpd.conf or php.conf has following directives:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php
Note: the path may differ in your setup. Now restart httpd:
# /etc/init.d/httpd restart
A sample php code:
<HTML><HEAD>PHP</TITLE></HEAD> <BODY> <?php phpinfo(); ?> </BODY> </HTML>
Finally when php started to work properly, make sure you bind back a server IP address from 127.0.0.1 to public IP address.
Another option is keep your source code out of webroot and server all php requests from php application server using mod_proxy and multiple back-end servers.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Security breach: Facebook index.php source code leaked
- Podcasting with open source software
- Take action or execute a command based upon shell script name
- Linux rpm command no such file or directory error and solution
- How to: Linux flush or remove all iptables rules
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: Apache, correct_mime_type, lighttpd, mod_php, mod_proxy, php_source_code, production_environment, Security
One thing to note is the .inc files - many people use this extension when including files in PHP. But many servers give it text/plain(or similar) mime type. This is a huge security risk.
If your server is not configured properly, people will be able to get this file.
Binny,
Good point, somehow I missed altogether about .inc files.
Appreciate your post!
Nice , never thought about it like that !
Great advice for the beginner coder!
Using .inc for extensions isn’t the best way as stated above… Great work