Downloading php files?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-08 15:43 出处：网络

Is it possible to download php files from the server where they are located? I am a beginner in web area, and I worry that hackers may have special tools to download, see my cod开发者_C百科e and under

If the server is properly configured and there are no security holes in the code then no, it's not possible.

If you have something like

echo file_get_contents($_GET['myFile']);

then this could be used to get your code - never do this!

In 9/10 cases the way bad guys can download your php source code is if you keep backup files in the webroot, things like foo.php.bak or foo.php.old or .backup. These are served as plain files by default so be careful of this issue in addition to the above suggestions.

It's not possible to directly download the source to your php files which are processed through Apache, unless your web server for whatever reason suddenly broke and stopped serving php files through the php interpreter ( if you were messing around with the settings perhaps and broke it. )

A very skilled cracker would probably be able to infiltrate your web server though, and easily download anything on it, but the chances of this are very, very low. If you're not some big company then who would care to take the time to really hack you?

Another point to make is whenever you're dealing with user input, always sanitize otherwise you'd be susceptible to common XSS attacks ( escape strings, dont rely on PHP_SELF, plenty of other sanitisation that can be done ).

the configuration of the webserver determined if a file should be parsed to the php parser or not. this is usually based on the file extention. So, files ending on .php would be parsed, and for php source you would use .phps. So .php files, on the webserver to generate dynamic content can't be downloaded as source.

Hackers don't need your source code to break into your site. In fact the majority of the vulnerabilities on OWASP top 10 doesn't require source code to exploit: http://www.owasp.org/index.php/Top_10_2007

"Black Box" vulnerabilities scanners like Acunetix (http://www.acunetix.com) Or the open source project Wapiti (http://wapiti.sourceforge.net) can uncover SQL Injection, XSS and Source Code Disclosure vulnerabilities easily. Its a great tool.