Lets say I have a site: www.viparrot.com and I want to view the index.php file (not what the .php outputs!). How can I go about doing this? (assuming I do not have the source file, or access the the cpanel etc Thanks Notting
Luckily you can't access other peoples' PHP or there would be security vulnerabilities found in many, many, many major websites.
As live-cms said, you cannot. Except when the sysadmin have made an error on the server, and the web server serves php files without interpreting them, as text. But otherwise, you cannot. Beside, on a e-commerce sie, it's useless, except if you can get the database dump too.
That site is mine! I just wanted to have a look at how other people have been doing things! I guess I'll put that idea on the shelf! Thanks for you responses! Notting
PHP is not the most robust language and therefore occasionally will serve the actual PHP code - there are ways to force this but google is your friend. The advantage of .net is that there is no code in the .aspx file as all the code is compiled into a .bin file so nothing to force a server into error and display
I think he was too busy trying to advocate .NET PHP definitely doesn't randomly output the source code. What he may be referring to: - Some sites that have a phps extension for corresponding php files specifically for viewing the source (but hardly anyone does this for obvious reasons) - The info provided in error messages (all you need to do is turn off error reporting which is standard for a production site)
Some websites have errors that allow the source code to be outputted but not many. There's no reason to try to look for those bugs, you will most likely be wasting your time.
vBulletin will on occasions show its source code and it isnt difficult to force it to do so. I will not say how you do it as it is obviously very close to hacking and this is the main reason why most people will want to find code however there is no shortage of pages on the web that are prepared to teach others on how to do these types of things.
Well you used your argument seemingly against PHP in general, instead of mentioning in only works in certain situations, most likely with very poorly written scripts or at least poorly written parts of scripts. And if I am thinking of the same method as you for showing source code of PHP files, then it is not really PHP showing its own source, it is PHP reading the contents of a file whose filename is determined by invalidated input. This could happen using any scripting language.
It is a known security flaw with PHP and we are yet to find a page that it does not work with so not sure if we are thinking of the same thing or not. If you consider .Net a scripting language then it isnt possible with .Net as the "script" is precompiled into MSIL and so there is no "script" to force the server to show.
Please show me the code of www.narutowallpaper.biz/index.php to prove PHP will willingly output its own code...
It doesnt do it willingly but it can be forced to without too much pain. Our machines are stress testing for the next couple of days but should be able to spare them after that to view the source
I've seen many websites output the php code includes, this normally happens while Apache is being restarted.