How to prevent PHP files from being downloaded? And what are some ways someone can download them?

Question

How do i prevent php files from being downloaded "illegally" like through the browser. And what are some ways someone can use to download the php files?

Answer 1

You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:

<?php
readfile($_GET['file']);
?>

If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:

# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
    <FilesMatch "\.(php|phtml)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
    AddType text/html .php .phtml .phps
    AddHandler application/x-httpd-php .php .phtml
    AddHandler application/x-httpd-php-source .phps
</IfModule>

Answer 2

Under normal circumstances, nobody is able to download PHP source code, since it is executed on the server. The webserver recognizes PHP scripts and passes them to PHP. The result is then passed back to the browser of the requesting user. The situation you described can only be achieved, if the webserver configuration is really messed up.

Answer 3

<?php
header('Content-disposition: attachment; filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?> 

Answer 4

Under normal circumstances, nobody is able to download PHP source code (same as the other answer), But if you have a file with a different extension example : page1.bak and you have a page1.php, the page.bak gets downloaded if you just put in the url ht..//.../page1

I have confirmed this with PHP version 5.3.10-1ubuntu3.2 and Apache/2.2.22 In summary avoid putting your config or test files in the production directory unless you want them to be downloaded in raw state.

The Option Multiview should also be disabled in apache2.conf or httpd.conf to avoid defaulting to returning "near-like" filename.

Answer 5

You never download the php file from a web server running php. You can donwload the HTML delivered from the php like in this answer. You don't get php script you get HTML + JavaScript (if some)

<?php
header('Content-disposition: attachment;
filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>