[thelist] Securing PHP source WAS: Use PHP for content?

MarsHall evolt at marsorange.com
Thu Nov 21 16:31:00 CST 2002


On Thursday, Nov 21, 2002, at 16:13 US/Central, Alex Ezell wrote:
> How does one go about securing their PHP source code?

PHP is, by default, relatively secure. Of course HOW you build your PHP
scripts and config your server will dictate the inherent security risks
for your server. For the most authoritative explanation of PHP
security, see:

	http://www.php.net/manual/en/security.php

The person who coded that site ( http://www.camst.net/ ) simply made a
mistake. They put a block of PHP code with an include in their index
file, but made that file .html instead of .php. So, if you view the
source of the site's index page, you see that unparsed PHP code,
revealing the name of a completely unsecured .inc file.

Maybe they switched the extension on that file from .php to .html
extension because it was loading so slow as .php. [chuckle]

Mars :)




More information about the thelist mailing list