is this very simple ?

PHP portion added in the html page gets executed first at the server level and the result is shown to the browser through html. When the browser chosses the option to view the source code by right click of mouse, only the HTML portion is shown on the screen, hiding the php code.


Are there any standard,and simple methods by which hackers can peep into the PHP code? If yes, how do I prevent it ?

Chiplonkar

 

PHP code just can be viewed so easily. When you request a php page, apache or any other server you are running, send php file to PHP complier (well its a interpreter actually) , compiler compiles file and return to server, then server throws it to client.

 

@designcode: I think you're missing what the OP meant.

To the best of my knowledge, without a hacking gaining control/access to a server, there is no way they can get to your PHP files.

 

Correct. You need to view the files from the FTP server before Apache and PHP execute them.

 

Yeh thats what I said, I told the whole process, from client request to server response, if anything awful happens between this process, possibility exist that your code will be visible to client. For example, if there comes some problem in php compiler, and rather than parsing code, it returns the whole code as it is, then?

Believe me, I have seen this happened once, I opened a website and it prompt me to open file with Programmers' Notepad, and next instance I was looking at the source code of index.php

 

Does it mean that writing a password openly in the php code for connecting to mysql database is safe ? e.g. are lines like this in the php code safe ?

$result=mysql_connect("localhost","xyz","password");

Chiplonkar

 

Yes its very safe until something awful like server hack, or apache crash happened.

 

Does it mean that blocking the ftp access to public by setting DIRECTORY PERMISSIONs to "public_ftp" directory is safe enough to prevent access to php files?

Chiplonkar

 

As long as you need a password to view the directory with PHP files, you're safe.

 

there are several other ways to hack the script ..

for an example if you are allowing users to upload files on server ... users can upload a custom developed php file which they can run by typing www.yourdomain.com/uploads/customfile.php

now as custom.php is programmed to collect all files present in DOCUMENT_ROOT i.e. your public_html and compress all files and email it to some id or even can transfer over ftp on diffrent server ...

so caution is disallowing users to upload .php files, rather all sort of executable files .. only allow images and document files