-2

the dilemma I have is my website index.php calls to a template php file on a button press like this:

case 'main':
        $page = getTemplate('main.php', array('user'=>$user));
        echo $page;
        break;

This main.php template file is in a folder in "/var/www/template/" How do I stop people going to: domain.com/template/main.php and viewing the code for that page. I think the solution would be to make the localhost be able to pull the it and display it rather than the user or something along those lines. Any help would be appreciated thank you.

IAM ME
  • 1
  • 1
  • 4
    If your website is configured to render .php pages, then even if a visitor browses to main.php it won't show them the source PHP; it will show them rendered HTML – j08691 Jan 06 '21 at 16:37
  • 1
    In other words make sure PHP is installed easiest way is to create a new file and add this code to it – JonoJames Jan 06 '21 at 16:37
  • 1
    If you're using PHP then that code is being executed server-side and not returned to the client. If you're returning PHP code to the client then you've misconfigured something, and there are duplicate questions to address that. If you don't want the user to be able to request the template at all then keep the file outside the web server document root and there won't be a URL to access it. – David Jan 06 '21 at 16:40
  • My question is if they go to the file path, then it shows the php file's source code, how do I stop that. I tried htaccess to stop directory surfing but that stops the code above rendering the php file as well. – IAM ME Jan 09 '21 at 11:19

2 Answers2

0

Like a comment said, the PHP file will not be printed, it will print the HTML result that the php file produce. Maybe it produces some errors indicating vulnerabilities to a potential attacker ? If that's your case, you should handle this directly into the php code or use a .htaccess at the root of your site. You can't find some help there. How to deny access to a file in .htaccess

Mathieu Tristan
  • 129
  • 5
0

Managed to fix this by putting this at the top of the php page I wanted to render:

<?php

if (!isset($_GET['page'])) {
    header('Location: /main');
    exit();
}

?>

This means if someone goes "domain.com/template/main.php" to attempt to view the source code, it will redirect them back to the main webpage for my site. Thanks for your suggestions however.

IAM ME
  • 1
  • 1