[Bill Posters]

How easy is it for a savvy website user to view the unprocessed source code of a php?

How secure is any sensitive data stored within the php code of a web page?

[Mr Fred]

cant be seen (unless you make an error)

serverside rendering.

All you should see is includes or variable output in the markup as if it was written in (x)html (ie no php code)

[Bill Posters]

So, this is safe to use then?

Code:

…
<body>
<?php

// Define your username and password
$username = "someuser";
$password = "somepassword";

if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {

?>

<h1>Login</h1>

<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p><label for="txtUsername">Username:</label>
    <br /><input type="text" title="Enter your Username" name="txtUsername" /></p>

    <p><label for="txtpassword">Password:</label>
    <br /><input type="password" title="Enter your password" name="txtPassword" /></p>

    <p><input type="submit" name="Submit" value="Login" /></p>

</form>

<?php

}
else {

?>

<p>This is the protected page. Your private content goes here.</p>

<?php

}

?>

…

I'm just concerned that there may be an app that can download a php file as source (i.e. bypassing the parse instruction of the server)

The above idea seemed a good idea for a quick and easy solution to the problem of establishing basic password protection for a page.
Not saying I'm planning to use it, just that it made me wonder about the level of inate security in a php file.

[Mr Fred]

I think you may be worrying too much Bill.

As for the above code - fine I believe as there is nothing there in the rendered page.

I dont think you can crack something that hasnt been rendered (as such) - dont quote me though. There are ways of cracking mysql databases but do you think your at risk?

[Bill Posters]

I may well be over-thinking things though I'm not particularly expecting any threats. Security just seems to be one of those things that is constantly harped on about throughout the reading I've been doing in the past few days.

I've been looking at some prefab php script sites.
Some handy (read: genuinely useful) stuff to be found.
Takes me back to the 'kid in a candy shop' feeling I had when I very first became interested in javascript and found all those javascript download sites.

Now if I can just locate a php script to make snow flakes fall down the screen…

[smallbeer]

The only problem you'd have would be in the unlikely event of the php support on your server failing.

As added protection it's wise to seperate any sensitive info from the actual script using includes. Amend your includes path so that it is above the root directory and away from prying eyes.

PHP Code:

<?php
include 'password.php';

if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {

?>

<h1>Login</h1>

<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p><label for="txtUsername">Username:</label>
    <br /><input type="text" title="Enter your Username" name="txtUsername" /></p>

    <p><label for="txtpassword">Password:</label>
    <br /><input type="password" title="Enter your password" name="txtPassword" /></p>

    <p><input type="submit" name="Submit" value="Login" /></p>

</form>

<?php

}
else {

?>

<p>This is the protected page. Your private content goes here.</p>

<?php

}

?>

PHP Code:

<?
// password.php

// Define your username and password
$username = "someuser";
$password = "somepassword";

?>

[Bill Posters]

Good thinking, bat girl.

[DaiWelsh]

yep, php source is as safe as anything in plain text connected to a worldwide network can be Seriously though, it is not like javascript, there is no easy way for a hacker to see it, only if they can break into your web host in which case all bets are off anyway.

Couple more things to watch out for:

When using includes remember to always use .php as extension or it may render when called directly (e.g. if you called an include file password.inc or less likely password.txt) depending on how that extension is handled by your server.

Ideally you should trap and log (or at the very least suppress) errors, otherwise when something goes wrong with your code/site the error message itself may give away useful info on your code. Also if you trap and log errors you may well spot attempted hacks before they succeed (or after they succeed but before they do too much damage).

HTH

[Bill Posters]

Quote:

When using includes remember to always use .php as extension or it may render when called directly (e.g. if you called an include file password.inc or less likely password.txt) depending on how that extension is handled by your server.

That's a fair point, but wouldn't it be equally secure to use a standard .html suffix, but avoid using obvious names such as password. for included files?

I actually do use .php for all site files now as most already contain php instructions and the few that don't simply look neater to me when viewing the directories.
(There's not so many that the additional redundant hits to the php parser hurt the performance)

The reason I ask is to increase my understanding of the php malarky.

I'll look into trapping/surpressing errors as you mentioned.
Is there some way of doing that site-wide or will it need to be done on a page-by-page/function-by-function level?

[DaiWelsh]

Quote:

Originally Posted by Bill Posters

That's a fair point, but wouldn't it be equally secure to use a standard .html suffix, but avoid using obvious names such as password. for included files?

If you mean your main file is x.php and your include (with PHP code in) is y.html then that would not be a good idea as again if someone called y.html directly the PHP code would not be processed (unless .html was configured as PHP) and the php code would be shown in the html file sent back to the browser. If the include only has html anyway then that is fine, it is only files with PHP code in that you need to be careful with.

Quote:

Originally Posted by Bill Posters

I'll look into trapping/surpressing errors as you mentioned.
Is there some way of doing that site-wide or will it need to be done on a page-by-page/function-by-function level?

If you control the site config you can set error levels and (I think) default error reporting mechanism that way, but as I tend to use hosted accounts I 'roll my own' using set_error_handling() functions. There is a section about it in PHP manual e.g. here

[Bill Posters]

Quote:

If the include only has html anyway then that is fine…

Sorry, should have been clearer. I would only consider using a standard .html suffix if the file contained only html (read: no php) anyway.

Thanks for the link. I'll take a sneak-peek this w/end, though a v quick preview takes me to a page which will surely have my non-geek head exploding.
I'll try to cherry-pick the bits I'm after, though I may have to fall-back to a 'PHP fer not-quite eejits' book.

[DaiWelsh]

It is actually not as hard as it first seems, I will try to dig out some sample code for you tomorrow..

[pixelpyro]

Hi Guys -

Funnily enough this password protection is exactly the type that I was about to search google for.

I have a quick question (I have no knowledge of PHP hence this may be very easy) - I have uploaded the page - works fine but I noticed that if you put the wrong user or password details in it simply refreshes the page. Is it possible to display an error to the user that states they have supplied the wrong details and should retry.

I have a feeling alot of users will be sitting for ages waiting for something to happen without realising they have to re enter.

TIA