Here in this question I was interested in the code given in one of the answers.

/* безопасное соединение с базой данных, файл лежит перед корнем сайта если вдруг упадет php, логин и пароль к базе данных никто не сможешь увидеть */ include_once('../db-site.php');

As I understand it, the author is afraid that the Apache + PHP server instead of executing the PHP script will give out the source code in plain text. But after all, this should be impossible in principle (as I understand it), because even if PHP is down, Apache will try to start php, which lies in the address in * .php, and that means the user will receive an error in reply, or nothing.
Question : under what conditions is it possible for the server to issue source code?

  • I do not know, but I personally saw this. - Oleg Arkhipov
  • @ReinRaus - this problem is not solved by a couple of lines in the config. To write an article - there is no desire - Zowie
  • @ReinRaus, the question is not the topic, but you, like, are friends with the regulars: is it possible to take only a certain group of characters that are mixed with superfluous ones with one expression? That is, from the line: "id: 12_42; key: 123" take "1242"? - user207618
  • Can. To do this, you will need to apply a replacement for a regular expression, and not search. Replacing is subject to all text, except the desired. - ReinRaus

7 answers 7

If PHP is down, the server will give the PHP listing (source code).

  • Yeah ... Somehow it didn’t even occur to my head ... But that’s what it was ... Just include how I understand it is necessary to do the PHP file outside the DOCUMENT_ROOT folder, right? - Dobby007
  • @ Dobby007, yes. Install Joomla, disable PHP and in a minute I will do whatever I want with your base. - Oleg
  • I still remember Facebook had such a canoe. On Habré you can find the code for a couple of pages, or even more - lnart
  • Well, now I will transfer my Index))))) By the way ... Try to make htaccess and put a check in it on <IfModule>. I do not know how it will work and whether it will work at all, but you can try .... - Dobby007
  • @Dobby007, it hardly works, the Apache simply checks the load of the module, as far as I can see, and whether PHP works or not is another question. - Dex

why so much panic, we write an adequate .htaccess redirecting all requests to index.php, in index.php only the necessary files (kernels, controller, etc.) and everything even if php falls, the user will receive a listing of the index.php file only pervert and store the connection file to the database under the root of the site is, I'm sorry, paranoia.

  • After receiving the index listing, we get the names of the kernel, controller files. We open them, we get another code + addresses of classes of work with a muscle, and then immediately a config. And so moving from file to file, you can copy the whole site)))) - lnart
  • @lnart, so yes. - Oleg
  • @lnart and @exec ... And I said something and right now I just thought ... How will he get the whole site if htaccess blocks all requests to the system files except the index ??? - Dobby007
  • @lnart @exec before such a claim, I would recommend to check it in practice. - FLK
  • one
    What you are arguing about is incomprehensible about what the kernel, database and other hidden files are called in a special way, add an additional extension, and in .htaccess only allow reading the *.php extension. @FLK, sensibly said, without specifying what needs to be done, but how to do it, a flight of fantasy will tell. - Dex

Do not be perverted like this) In index.php we write inclodes, we restrict the rest of the code to a folder. I did this:

 #.htaccess ErrorDocument 404 /404.html RewriteEngine On RewriteRule ^system/.*/$ /404.html [L] #папки RewriteRule ^system/.*\.php$ /404.html [L] #.php

Well, if the support for .htaccess comes down - most likely it will mean that the apache has laid down.

  • +1 I stated the same idea above. You can even insert the htaccess lock code into httpd.conf. And if mod_rewrite crashes, the Apache will simply give an error when loading. And no file will load at all in any way ... Well, it is so ... By the way. mod_rewtite to fly off, you still need to try ... - Dobby007

I have done both. I am a supporter of fewer entries in the program. Ie: There are index.html and api.php - they are in the / var / www / web / <--- Web Root path, and there are a lot of files behind it. (/var/www/core/*.php).

In Api.php there is a line that connects a startup file with modules (with require, unlike the simple "include", the time difference is not noticeable). For example.

 api.php -- require -> ../core/start.php start.php -- require -> ./*.php

Api.php contains a Class, which, depending on the request, will use one or another class and give the necessary information.

Thus, I protected myself from:

  1. If php is down, no one will get the source anyway. All the same, in api.php there is nothing that would help an attacker to break one .. or another thing.
  2. The smaller the number of entries in the program, the easier it is to control the correctness of requests => If a hole is noticed, it will be very good. just cover it up :)

Actually, everything :)

  • Somehow I did not really understand. - Oleg

So that the sources are not stolen, it is enough to encode the scripts at least with the same Zend Guard. Well, if you have your own server, even if it is virtual, but with the remote connection to the database disabled, the "stolen" passwords will not help.

Well, if you have no money for a decent hosting or Zend Guard, then who needs to break you?

    Puff fall is not necessary. It is enough in htaccess, and it is better to register this in php.ini:

     AddType application/x-httpd-php-source .php

    And instead of the results of calculations, the server will produce a beautiful highlighted source.

    • Well, that's understandable. An interesting option when everything is set to run the script, and given the source code. - ReinRaus

    It is better to write the code so that it can be put at least on GitHub and nothing secret is gone.

    And access to the database, the keys to the API stored in the environment variables ( http://12factor.net/ru/config ) or even in a third-party service ( https://www.vaultproject.io/docs/secrets/consul/ )