[PHP] Re: PHP Source code protection
Zoran Bogdanov escreveu: Hi, I'm building a C# application that connects to a server that has PHP scripts on it. We need to deliver the complete solution to a firm, the C# is no problem because it is compiled... But PHP is a problem bacause it is interpreted and we will have to deliver pure, unprotected script... Is htere a way to secoure my code so when they put it on the server, they can't see it! Thank You! Try Roadsend, now as Open Source: http://www.roadsend.com/home/index.php?SMC=1&pageID=compiler -- zerof http://www.educar.pro.br/ Apache - PHP - MySQL - Boolean Logics - Project Management -- You must hear, always, one second opinion! In all cases. -- Let the people know if this info was useful for you! -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE: PHP source code
Oliver, I think I see your question. You are wanting to know if people can see *your* PHP code (it sounded like you were asking if you could read PHP's source code, which is why people responded like they did). I think another poster mentioned this, but the safest thing to do with your database access information is to store it in a separate PHP script outside of document root. This ensures that there is no way to access it from a URL. Then, you can use include() from your script(s) that need to connect to the database to include the access credentials. I think your question is whether you can see the source of a *.php file from a Web browser somehow, right? I'm not aware of any type of vulnerability that can allow this, once your Web server is setup to recognize these scripts as PHP. A possible source of your concern is that many people mistakenly store included modules under document root, name them *.inc, and don't configure the Web server to deny requests for a resource with a .inc extension. The best solution, even for this case, is to store your included modules outside of document root. This way you don't depend on access restrictions implemented in the Web server, nor do you have to worry about people executing your modules out of context (a danger, possibly greater danger, that exists when you simply name your modules *.php as a quick fix). Hopefully that explains some of this a bit more. Chris >>>On Thu, 19 Sep 2002 16:50:16 +0200 >>>[EMAIL PROTECTED] (Oliver Witt) wrote: >>> Hi, Is there any way to read php source code? I didn't think >>so until I >> >> heard about people you have done that... Kind regards, Oliver >>>If you mean php's source, download it ;) >>> >>> >>Well, but if I write a script with MySQl, there has to be my user name >>and password in the source code. If anybody could read it, >>anybody could >>have access to my databases! >>Oliver >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP source code
Michael Geier schrieb:
> PHP Source code is only available on the server, and will never be shown to
> the client (unless you create a tool to allow them to see the source;
> see show_source() );
>
> And you can always put your authentication data (username/passwords) in an
> external include() file
>
> auth.inc:
> $username = "foo";
> $password = "bar";
> ?>
>
> page.php:
> include ('[secure directory outside of web tree]/auth.inc');
> mysql_connect("dbname",$username,$password);
> ?>
>
> of course, if you are on a shared-host web server (multiple clients on the
> same server), you are only as secure as the weakest idiot that
> configures/administrates the server, IMHO.
Won't the server ask for authorization if the included PHP script is in an
directory accessible with .htaccess-Authorization?
Oliver
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE: PHP source code
then keep this info in a config file off root and use a data abstraction class to connect. Tim www.chessish.com > -Original Message- > From: Oliver Witt [mailto:[EMAIL PROTECTED]] > Sent: 19 September 2002 19:15 > To: [EMAIL PROTECTED]; Stephan Seidt > Subject: Re: PHP source code > > > Stephan Seidt schrieb: > > > On Thu, 19 Sep 2002 16:50:16 +0200 > > [EMAIL PROTECTED] (Oliver Witt) wrote: > > > > > Hi, > > > Is there any way to read php source code? I didn't think > so until I > > > heard about people you have done that... > > > Kind regards, > > > Oliver > > > > > > > If you mean php's source, download it ;) > > Well, but if I write a script with MySQl, there has to be my user name > and password in the source code. If anybody could read it, > anybody could > have access to my databases! > Oliver > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP source code
A solution that I use is to put important information in an include file, and store it in a User-Authentication protected folder, ie. /admin/ This adds one extra layer of protection to your files, and keeps the average joe-surfer from being able to get the files. Peter At 08:24 PM 9/19/2002 +, Stephan Seidt wrote: >Then be sure that nobody is able to read it. >Should be no problem ;) >There is no possibility to read php source, >the webserver will always count it as php file >and the file will be parsed by php. > >Sure its possible to get the file over ftp, ssh, imap, etc, >but this is the problem with all the secret-file stuff. > >bye, >blizz > >On Thu, 19 Sep 2002 20:15:06 +0200, [EMAIL PROTECTED] (Oliver Witt) >wrote: > > > Stephan Seidt schrieb: > > > > > On Thu, 19 Sep 2002 16:50:16 +0200 > > > [EMAIL PROTECTED] (Oliver Witt) wrote: > > > > > > > Hi, > > > > Is there any way to read php source code? I didn't think so until I > > > > heard about people you have done that... > > > > Kind regards, > > > > Oliver > > > > > > > > > > If you mean php's source, download it ;) > > > > Well, but if I write a script with MySQl, there has to be my user name > > and password in the source code. If anybody could read it, anybody could > > have access to my databases! > > Oliver > > > > > > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php - - - - - - - - - - - - - - - - - - - - - Fourth Realm Solutions [EMAIL PROTECTED] http://www.fourthrealm.com Tel: 519-739-1652 - - - - - - - - - - - - - - - - - - - - - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP source code
Then be sure that nobody is able to read it. Should be no problem ;) There is no possibility to read php source, the webserver will always count it as php file and the file will be parsed by php. Sure its possible to get the file over ftp, ssh, imap, etc, but this is the problem with all the secret-file stuff. bye, blizz On Thu, 19 Sep 2002 20:15:06 +0200, [EMAIL PROTECTED] (Oliver Witt) wrote: > Stephan Seidt schrieb: > > > On Thu, 19 Sep 2002 16:50:16 +0200 > > [EMAIL PROTECTED] (Oliver Witt) wrote: > > > > > Hi, > > > Is there any way to read php source code? I didn't think so until I > > > heard about people you have done that... > > > Kind regards, > > > Oliver > > > > > > > If you mean php's source, download it ;) > > Well, but if I write a script with MySQl, there has to be my user name > and password in the source code. If anybody could read it, anybody could > have access to my databases! > Oliver > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP source code
Stephan Seidt schrieb: > On Thu, 19 Sep 2002 16:50:16 +0200 > [EMAIL PROTECTED] (Oliver Witt) wrote: > > > Hi, > > Is there any way to read php source code? I didn't think so until I > > heard about people you have done that... > > Kind regards, > > Oliver > > > > If you mean php's source, download it ;) Well, but if I write a script with MySQl, there has to be my user name and password in the source code. If anybody could read it, anybody could have access to my databases! Oliver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP source code
On Thu, 19 Sep 2002 16:50:16 +0200 [EMAIL PROTECTED] (Oliver Witt) wrote: > Hi, > Is there any way to read php source code? I didn't think so until I > heard about people you have done that... > Kind regards, > Oliver > Do you mean the source of php.net ? Try http://de.php.net/source.php?url=/index.php If you mean php's source, download it ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
