Can you see PHP scripts client side?

2019-10-02 09:33发布

问题:

I'm only asking this to make my site as secure as possible since it will be dealing with personal information. This is why I chose PHP to code with as it is ran all server side but I heard there are certain tricks out there that you can read scripts if the URL is learned where the script is. I haven't seen this personally my self so I'm just wanting some clarification to make sure that coding in PHP is this best choice security wise.

Basically I want to have at least of a likely to be hacked in some way as possible. I will be applying SSL certificates once I'm done with the development of the site and I know that'll help quite a bit with information being transmitted back and forth being encrypted.

回答1:

Nobody can see your code because Apache (or whatever web server you use) is instructed to EXECUTE any .php files rather than simply serve (display) them as it does by default (with .html, .css, .js, etc).

I think what you may have heard of is a general security concern using PHP in general - If you are using a shared host (where other users also use the same server as you) they will generally be able to view your code programmatically, that is to say they can write a PHP script which lists your PHP scripts -- this does require that they know the physical directory your scripts are stored in, but again they could write a PHP script to try and discover this.

Generally speaking this isn't an issue, but if I'm doing anything of a sensitive nature (such as taking card payments) I always ensure I'm working in an environment only I have programmatical access to (ie. a virtual server or a dedicated server -- By virtual server I mean a virtual machine to which I have dedicated exclusive access, do not confuse this with "Virtual Hosts" which are shared servers).



回答2:

No one can read your code unless you have error reporting enabled and an error occurs that exposes the code. Make sure you have error logging on and error reporting off when you are ready for users.

Set ini_set('display_errors', 'Off'); in your php code (or directly into your ini if possible)



标签: php security ssl