All geek questions in one place

How php files are protected

I was wondering how php files are actually protected. Why is it impossible to upload a php file even if the exact location is known?

When I upload a php file to my web server, say domain.com/files, and I call the domain.com/files page, I can clearly see the php file and its actual size. However, downloading a file results in empty files.

The question is: how does the security mechanism work?

+4
source share
5 answers

The responsibility of the web server is to take a PHP script and pass it to the PHP interpreter, which sends the HTML (or other) output back to the web server.

An incorrectly configured web server may incorrectly process the PHP script and send it to the requesting browser in its raw form, which will allow you to directly access PHP scripts.

Your web host may have a mechanism for listing the contents of the directory, but if it does not provide a loading mechanism to supply a PHP script with text headers (unlike HTML) without passing it to the PHP interpreter, it will be executed as PHP, not served .

To load a raw PHP file, the server will have to do additional work (possibly through another PHP script) that reads the PHP file from disk and sends its contents to the browser using simple text headers.

+7
source

When you request domain.com/files, your web server is configured to display all the files in this directory.

When you request the actual php file, the web server executes it and returns the results back to you, not the source code.

Of course, both of the above can be customized. You can switch the directory list and disable parsing of php files to display the actual contents of the file / source code.

This is generally a good practice for disabling the directory listing.

+2
source

When you first install PHP on your server, it reconfigures Apache, so when the .php file is requested, Apache processes PHP. PHP then processes the code in the file and returns any text PHP code echo ed or print ed to Apache, which then sends it back over the network to the person who requested the PHP file.

The "security" is simply that Apache does not just serve the PHP file, but passes it to the PHP processor for execution. If Apache is not configured correctly or you are using server software that does not recognize PHP, an unprocessed PHP file will be sent to the client.

+1
source

Short answer: since the server is configured to execute PHP files and returns results, you can never access the PHP source from the outside. All code is immediately executed by the server. So, to answer your question:

The security mechanism is that .php files are automatically executed by the server when they are requested.

0
source

This is a huge misconception. When you try to access a PHP file through port 80, your request is most likely triggered through a web server that does something with the file . In the case of PHP, it runs this file through the PHP interpreter, which leads to the fact that this file generates some output, and which is what is sent to you.

You can easily allow the download of PHP files by removing the interpreter for this file type. If the web server does not have anything special for him and does not understand the file, he will simply ask him to download it.

0
source

Source: https://habr.com/ru/post/1396450/

More articles:


All Articles