Oliver, I think I see your question. You are wanting to know if people can see *your* PHP code (it sounded like you were asking if you could read PHP's source code, which is why people responded like they did).
I think another poster mentioned this, but the safest thing to do with your database access information is to store it in a separate PHP script outside of document root. This ensures that there is no way to access it from a URL. Then, you can use include() from your script(s) that need to connect to the database to include the access credentials. I think your question is whether you can see the source of a *.php file from a Web browser somehow, right? I'm not aware of any type of vulnerability that can allow this, once your Web server is setup to recognize these scripts as PHP. A possible source of your concern is that many people mistakenly store included modules under document root, name them *.inc, and don't configure the Web server to deny requests for a resource with a .inc extension. The best solution, even for this case, is to store your included modules outside of document root. This way you don't depend on access restrictions implemented in the Web server, nor do you have to worry about people executing your modules out of context (a danger, possibly greater danger, that exists when you simply name your modules *.php as a quick fix). Hopefully that explains some of this a bit more. Chris >>>On Thu, 19 Sep 2002 16:50:16 +0200 >>>[EMAIL PROTECTED] (Oliver Witt) wrote: >>> >>>>Hi, >>>>Is there any way to read php source code? I didn't think >>>> >>so until I >> >> >>>>heard about people you have done that... >>>>Kind regards, >>>>Oliver >>>> >>>If you mean php's source, download it ;) >>> >>> >>Well, but if I write a script with MySQl, there has to be my user name >>and password in the source code. If anybody could read it, >>anybody could >>have access to my databases! >>Oliver >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
