/    Sign up×
Community /Pin to ProfileBookmark

Noobish question: Hide source of php scripts

Copy linkTweet thisAlerts:
May 23.2010

I know you can’t hide the source of html, no problem.

I would however, like to know if there’s a way to hide the back end scripts to make them inaccessable (permissions, etc) that do processing on the server side.

It’s not so much a desire to hide “trade secrets” but rather to hide things like databases, database login information and the like.

I’m currently running on a unix box, but wouldn’t mind knowing for microsoft stuff as well.

I’d like to think it would be something as simple as “other” permissions (like a 701 permission). I haven’t really found anything like it in a google search.

Thanks in advance.

to post a comment
PHP

15 Comments(s)

Copy linkTweet thisAlerts:
@DasherMay 23.2010 — php files can not be seen without first going through the php processor, so the only thing that will be seen is the html it generated. You won't see any of the DB or log in info. Other files without the php extension may be able to be seen, you can block viewing those with a .htaccess deny statement. That way only the php application can load those files as includes or requires.
Copy linkTweet thisAlerts:
@Jarrod1937May 23.2010 — No .php file should be visible to the user since it will be processed through the php parser first, as dasher stated. However there are vulnerabilities that can occur from bad programming and practices. For example, if you backup a file do not do so by changing its extension, like index.php to index.bak, as the .bak file will not be parsed and may be shown as plain text, however as said you can block access to these using .htaccess. However , it is still better to back up a file using index_back.php or something similar, and ideally you shouldn't keep old backed up files on the server anyhow.
Copy linkTweet thisAlerts:
@janusmccarthyauthorMay 23.2010 — Thanks a lot.

Now for people with access to the file system, is there a best practice for setting the permissions on the directories and files?

A link is fine on this if you have it handy, I've just never really seen information on how to tighten down a particular folder with web access as much as possible outside of the occasional "don't do this" or "this doesn't work".
Copy linkTweet thisAlerts:
@MindzaiMay 24.2010 — Information on resource protection on shared hosts:

http://phpsec.org/projects/guide/5.html

The whole guide is a good read, as is the book written by the same person (Chris Shifflet) which goes into more detail.
Copy linkTweet thisAlerts:
@janusmccarthyauthorMay 24.2010 — Thanks Mindzai! I'll bookmark it and read it!
Copy linkTweet thisAlerts:
@chris22May 25.2010 — Another approach to "hide" PHP code is to compile it into a binary program:

http://www.roadsend.com/home/index.php
Copy linkTweet thisAlerts:
@sohguanhMay 26.2010 — Another approach to "hide" PHP code is to compile it into a binary program:

http://www.roadsend.com/home/index.php[/QUOTE]

Just to mention there will always exist developers that attempt to de-compile a binary program. We have it in Java where some software are touted to de-compile Java classes into the source code format. Likewise for other programming languages.
Copy linkTweet thisAlerts:
@janusmccarthyauthorMay 26.2010 — Well it's easier in java specifically because of how java is structured. Class files contain most of the symbol information that's in the source, and bytecode is mostly a two way mapping. Do you know if compiled php has the same nature?
Copy linkTweet thisAlerts:
@MindzaiMay 26.2010 — I would imagine so. Even in "normal" use, PHP isn't strictly interpreted, it is actually "compiled" on the fly (unless a cached version exists) into bytecode which the Zend engine processes, much like how I understand Java works.
Copy linkTweet thisAlerts:
@criterion9May 26.2010 — I would imagine so. Even in "normal" use, PHP isn't strictly interpreted, it is actually "compiled" on the fly (unless a cached version exists) into bytecode which the Zend engine processes, much like how I understand Java works.[/QUOTE]
The biggest difference between the two is that the bytecode is compiled beforehand with Java and on-the-fly with PHP.
Copy linkTweet thisAlerts:
@ehimeMay 26.2010 — Thanks Crit, good fact to know about Java and precompiled bytecode.
Copy linkTweet thisAlerts:
@MindzaiMay 26.2010 — The biggest difference between the two is that the bytecode is compiled beforehand with Java and on-the-fly with PHP.[/QUOTE]

Indeed. I imagine that these compilation softwares precompile the byte code and run it on an integrated version of the engine. That being the case I'm not sure how much protection is actually offered given that byte code can be reverse engineered, but perhaps unlike java with its external VM, both the byte code and the interpreter are bundled together offering some protection?

I have to say if the goal was a truly compiled binary I'd be inclined to use something like C myself, at least unless I could confirm the actual protection offered by PHP compilers.
Copy linkTweet thisAlerts:
@Jarrod1937May 26.2010 — PHP compilers aren't really used for increased code protection since a breach in code of PHP shouldn't occur unless something is terribly misconfigured anyway. Not to mention if someone does directly access your compiled PHP script, then that is the least of your worries and you're probably already compromised. You should only use PHP compilers for their main purpose, to speed up PHP. The compiler saves the time it takes the interpreter to run (roadsend compiles native binaries) as well as optimizes the code in the script.
Copy linkTweet thisAlerts:
@MindzaiMay 26.2010 — The compiler saves the time it takes the interpreter to run (roadsend compiles native binaries)[/QUOTE]

It actually compiles into native machine code, not bytecode?
Copy linkTweet thisAlerts:
@Jarrod1937May 26.2010 — It actually compiles into native machine code, not bytecode?[/QUOTE]
I've not personally used roadsend, though i've been looking into it for a while, and that's the way i interpret the docs on their site. They offer the ability to compile native binaries [I]or[/I] JIT compilation, which to me translates to native machine code compilation [I]or[/I] partial byte code into machine code compilation, respectively.
×

Success!

Help @janusmccarthy spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.5,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...