| Re: Forum displays PHP code, not website [message #177390 is a reply to message #177383] |
Sat, 24 March 2012 09:24  |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:jkg6cn$mjd$1(at)dont-email(dot)me...
>> On 3/22/2012 4:43 PM, M. Strobel wrote:
>>> Hmm - shure? He said "PHP application on the server was missing or
>>> defective?".
>>> Missing not, the code was displayed. Defective? Only when the
>>> application printed out PHP code - well, unlikely, but not impossible.
>> Yes, it could be an application problem. For instance, using
>> short_open_tags in the code and an update to the server disabled them.
>
> Well, it seems fine now, and it's not my server. Thanks for the variety of
> comments. I do have a few PHP pages on my websites, and I think they are
> well protected enough that the server would never display the code - at
> least I hope so, because I have passwords hard coded in them.
Although it is often the initial/beginner's approach, it is a Really Bad
Idea. Security is one aspect; deployment and maintenance is another. For
example, you would certainly not use the same database passwords locally as
you would on the server you deploy to, and you would certainly not want to
modify the main code every time a new user account becomes necessary.
The least you should do is keep the main code and authorization information
apart. The most simple way is an include that only PHP can read. The most
secure and versatile way – PK applications aside – is to use an
initialization file outside of the DOCUMENT_ROOT; for PDO there is a user-
provided example in the PHP Manual.
In fact, the majority of the LOCs of a web application should be located
outside of the DOCUMENT_ROOT (which is why ~/cgi-bin is deprecated), but
that is not always possible.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]