3

I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.

However, one thing bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and image files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.

If I leave the PHP files within the WWW directory, am I afraid they can become accessible to the public, similar to the other files and images? I am so scared that skilled users can download and read them and reveal secret information about my web server.

Are my worries legit? Does the web server automatically hide .php files? Should I move the PHP files to another location, away from the WWW folder? Is there any other way to protect my PHP files from being downloaded?

I am using:

  • Apache 2.4.7
  • PHP 5.5.8
  • MySQL 5.6.15
Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Bunkai.Satori
  • 4,698
  • 13
  • 49
  • 77
  • 4
    No Php files are not accessible like static files – Muhammad Bilal Jan 02 '15 at 10:00
  • Use a .htaccess file for this – Kiren S Jan 02 '15 at 10:01
  • @madforstrength, hi and thanks. So PHP files are never served by a web server, correct? – Bunkai.Satori Jan 02 '15 at 10:02
  • PHP files in the web server is not readable by public. The public can only see the output after the execution of the php files. So don't worry about password and sensitive data, even if it is in www folder. – bansi Jan 02 '15 at 10:02
  • PHP just generates HTML output, and that output (html) can be downloaded, code it self - not. PhP code shouldn't be exposed if server works properly.... – sinisake Jan 02 '15 at 10:02
  • Yes if someone tries to access php file through browser, server will execute php script and convert it into html then throw it on browser. – Muhammad Bilal Jan 02 '15 at 10:03
  • PHP files can be called by a user... but unlike html css js, the content of the file will not be shown. I mean your php script will not be shown – Indra Kumar S Jan 02 '15 at 10:03
  • @all, I am asking, because during my development, I know I was able to list all the files withing my WWW folder through my web browser. I could access all of them and see them all. Images, JS Files, HTML files, and PHP files too. – Bunkai.Satori Jan 02 '15 at 10:09
  • 1
    Yes. People who say not to worry are careless. If everything is configured rights and your webserver is configured to run PHP files, then there is no problem. But PHP source files are just text files, and if your server is configured incorrectly, it might just treat them as such. – GolezTrol Jan 02 '15 at 10:12
  • 1
    @GolezTrol I won't suggest to put any sensitive data anywhere, if the server is not properly configured. what is the guarantee that the web server honor your `.htaccess` (assuming apache web server think of `AllowOverride None`) – bansi Jan 02 '15 at 10:21
  • @GolezTrol, hi again, and thanks for understanding. +1. That is exactly what I mean. I have to be realistic, and be aware that my application at some point can become of object of somebody being interested in my php files. And I know, that I was able to list WWW file structure through my web browser. I would like to know, how to disable this. – Bunkai.Satori Jan 02 '15 at 10:21
  • 1
    A webserver is configured by default to just feed the files. You need *extra* configuration to handle PHP files as PHP files, and to hide directory listings. It's easy to make an error or forget something that cause those extra settings to not work anymore. That is much more realistic than an error which grants access to files outside doc root. Good point though about uploading sensitive files to a not fully configured server @bansi. – GolezTrol Jan 02 '15 at 10:27
  • @vanamerongen, so to let you understand my logic: WWW folder is meant to server the files. So as I understand it: WWW folder must be accessible to public, as there is website content in it. However, if PHP files are within WWW folder, there is great risk, that they can be accessed the same way as images, or html or any other files. – Bunkai.Satori Jan 02 '15 at 10:34
  • I understand your logic, but it doesn't have to do with where your PHP files are. It has to do with how your webserver is configured. By default it's configured so you needn't worry that users can access PHP files the way they can access HTML, image, Javascript files etc. So, doesn't matter where your PHP files are (www directory or anywhere else), they *can not be accessed like other files*. – vanamerongen Jan 02 '15 at 10:42
  • @vanamerongen, I see what you mean. The default configuration of the web server is secure enough. – Bunkai.Satori Jan 02 '15 at 10:48
  • Exactly :) So as long as you don't screw around with the config and accidentally disable PHP or something you're good. – vanamerongen Jan 02 '15 at 10:56
  • @vanamerongen, FYI, I just reproduced the problem. If I type: http://mywebsite.com/PHP/, meaining, if I type directory folder after my domain name, then I can list all the files contained within that folder. I would say, this is pretty bad, or? – Bunkai.Satori Jan 02 '15 at 11:24
  • 1
    Ah yep, the thing is: it will list your files/file structure, but the source code of the files won't be accessible. Now I understand you might have reasons to want to hide your file structure, but that's a different matter. What your question should be is not necessarily "where do I put my PHP files", but rather "how do I disable directory listing". http://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing edit: You can also opt not to list only files with .php extensions. – vanamerongen Jan 02 '15 at 11:27
  • 1
    @vanamerongen, +1 and thank you very much for your patience. Now, I have some real points to continue exploring and to disable the directory listing. To be honest, I can not exactly evaluate, how dangerous it is, if the directory listing is enabled. I would simply prefer having it disabled. – Bunkai.Satori Jan 02 '15 at 11:32
  • No worries. I can see why you would want that, it certainly doesn't hurt to disable. – vanamerongen Jan 02 '15 at 11:33

2 Answers2

8

It's pretty safe. If you have PHP installed, your web server will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.

Apart from that, you can use .htaccess or other server configuration to disable viewing of those files.

But... It must be said that if any of these settings are configured incorrectly, the web server may serve the PHP files as plain text files!

So I think moving all PHP files out of the www folder is a good idea if they should not be accessed directly. You'll often find only one index.php that handles all requests and includes other PHP files. PHP files not in www (the document root) can still be included, so it's a good safety measure to put them in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny configuration error.

After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration or are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.

So... It is a good idea to move files out of the www folder. It's usually straightforward to do this (although it depends on your application structure), so it's just an extra safety measure that won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • hi and yes, that is my problem.(+1) I know, that I was able to see and download any files including my PHP files as text files through my web browser. I was able to see image files, .javascript files, .css files, and .php files too. If I want to disable this problem, would you have any idea where to look, please? – Bunkai.Satori Jan 02 '15 at 10:18
  • Yes. There are two different configurations. One is declaring the PHP file type: `AddType application/x-httpd-php .php`. This will tell Apache that `.php` files should be run by the PHP module. One this is configured, you won't be able to view files as text (see also [Apache is downloading php files instead of displaying them](http://stackoverflow.com/questions/18422140/apache-is-downloading-php-files-instead-of-displaying-them)). – GolezTrol Jan 02 '15 at 10:22
  • The other setting is to disable [directory indexes](https://wiki.apache.org/httpd/DirectoryListings). You can do this using `Options -Indexes`. But despite those settings I would still move the files out of your www folder as much as possible. – GolezTrol Jan 02 '15 at 10:23
  • 1
    (+1) for nice description, even if I disagree on some points. @Bunkai.Satori if you can see your php files as text files I would suggest configure your web server before you upload anything to that server. – bansi Jan 02 '15 at 10:25
  • @bansi, hi and thanks for your advice. Of course, I am willing to whatever what is needed. I just need to know what to configure, or at least where to start. At least I have a starting points now. – Bunkai.Satori Jan 02 '15 at 10:28
  • @GolezTrol, thanks for your patient explanations. I will wait couple of moments to see if I get anything more form anybody. Then, I will most likely mark your answer as the *Accepted Answer*. – Bunkai.Satori Jan 02 '15 at 10:29
5

Don't worry, php files are interpreted by the web server, and the code is not accessible directly from the web browser. In the file httpd.conf of apache, you can check that the extension php is "protected".

AddType application/x-httpd-php .php

If you are interested in giving a little plus of security to your application, you can change the extension of your PHP files and your web server config (the line above). It is called `Security through obscurity.

Ere Männistö
  • 518
  • 2
  • 20
tomloprod
  • 7,472
  • 6
  • 48
  • 66
  • Hi and thanks for your response, +1. I know, that during the development, I was able to list all the files stored in the WWW folder through my web browser. I could see them all, including PHP files. During the development, I was focused on developing, I just took a note, that I have to take care of this. Today, I was not able to reproduce this problem, but I am affraid, there is still a way how to list all the folders and directories of the WWW folder through a browser. – Bunkai.Satori Jan 02 '15 at 10:15
  • It's different list the PHP files (something that should be avoided) that they can be read. If you want to prevent a directory listing do the following: `Options -Indexes` in the web server config. Or, if you want to prevent the list only PHP files (not recommended), do the following: `IndexIgnore *.php` – tomloprod Jan 02 '15 at 10:19