Protect PHP source files against file_get_contents()?

Question

I have had more than a few clients ask for the same things. Blogs, shopping carts, newsletter systems, etc.

So, instead of recreating the back-end every time, I've created a cool little PHP application. The first part of my application acts as a package manager. There is a config file that I use to input all the information my packages will need.

The main information that is contained in that config file is the username and password of the administrator (hashed though the password may be), and the connection information to the MySQL database.

I got to thinking about it when I started using file_get_contents() in my packages...can't someone from a remote server list the site directory, and use file_get_contents() from their end to view my PHP source?

Obviously this is a huge security problem if that is, and I can't seem to think of a way to stop that from happening.

Is there a standard way to protect against these kinds of attacks?

Answer 1

If you fopen() , file_get_contents() or use another PHP function to open a file over HTTP and that file doesn't actually output anything, then nothing will be received. The HTTP server will execute the PHP and send the output just as it does when viewing in a browser.

So long as your webserver is configure to serve these PHP files after being processed by PHP then there is no issue.

Answer 2

file_get_contents()

Just get response headers and body data. Body - HTML, JSON data, XML and etc, in addiction how set remote server. If remote server don`t support PHP code, and dont install PHP interpreter, then php code for that server its just file with text, then call file_get_contents() return php code.

Answer 3

file_get_contents() functions gets only HTML code (what the page shows up when you load it), not full PHP code.

To get the full content of a file, you need to use functions like fopen() , and it's only unavailable.