After all, why does the PHP source code not appear in the browser?

Asked

Viewed 1,780 times

7

Well, I know that PHP is an HTML pre-processor, I know that it is interpreted by PHP and is rendered on the page but the source code does not appear. But is it really safe? I know it’s possible to capture page results, but I don’t know how to capture the actual page itself, but still, it’s safe to leave sensitive information in the PHP source blocks?

4 answers

13


Nothing is safe if you don’t know what you’re doing. Almost all the sites on the Internet today are insecure because almost all of them are made by people who think they can decorate cake recipes and this is enough to make a website.

Interestingly in desktop systems that do not involve internet security can usually be neglected without major problems. But those people who do not know what they are doing prefer to do for the web, not even knowing that the best solution is probably for desktop or mobile. Web should be the last option when others are not suitable. That is, it is a sum of errors.

It is not enough to answer this question to maintain security. And everyone thinks that just this one and a half dozen more and it is all right. Security is a mobile target, it always changes, so you can only make it safe if you understand a lot of computing.

To answer this question, yes, it is safe if everything is done right. Doing it wrong isn’t. Doing it right involves a lot of things, but the main thing is to configure the server properly to process PHP pages always and not expose them. But don’t think this is enough.

If all is right any request for something with extension .php will be delivered to the PHP interpreter that will execute the code on the server and will send a response to the HTTP server that will send to the browser. So unless you do something absurdly wrong, almost impossible, none of the PHP code will go to the HTTP server and consequently to the client. The PHP code is usually mixed HTML with PHP, only the part of HTML and what the programming code generates in the request will go to the browser.

The fact that it does not go to the browser does not mean that it is safe, only that it will not go there under normal conditions.

And don’t trust random people on the internet. There are some myths in the answers posted here, but most are right.

  • Adopting a framework would no longer be a measure to increase security?

  • I don’t know, a lot of them cause insecurity, and if you use them wrong, it might be easier to cause insecurity. They help not to commit the fools, but it makes it easier to commit the hairy ones. The more complexity, the more abstraction, the more each adds, the easier it is to make a mistake and not notice. Of course, between doing everything wrong because you have no idea what you’re doing and a framework, the second is better, but it is still not a good solution, the solution is to learn everything right, dedicate yourself, or hire someone who knows how to do.

7

The PHP code runs on the server only. The PHP engine uses your code to generate the HTML code that is sent to those who requested the page.

In general, it is not possible to determine whether an excerpt of HTML was written as HTML even in the original source code, or whether it was generated by an engine (such as an application in Node.js, C#, PHP, etc.). Even in cases where the most common use libraries leave their "tags" (such as very specific HTML comments, or repeated and known snippets by those in the area), it is not possible to reverse engineer and "guess" the PHP source only by the HTML that went down.

So unless someone has access to your server’s FTP, it’s safe to say they won’t be able to see your code only from the generated HTML.

The risks of placing sensitive information in source code are as follows::

  • If your code is in a repository like Github or Bitbucket, those who have access to the repository can see the sensitive information;

  • If someone is inexperienced enough to put sensitive information in code, it wouldn’t be surprising if they made a slip that transformed PHP source code with sensitive information into page text (I’ve seen it happen more times than I can count). In this case the problem is not PHP itself, but the developer.

  • And also leave some opening on some $_GET or on the server that someone can send a malicious file.

  • 2

    I don’t understand the negative here.

3

I have little experience with PHP, so feel free to edit and improve this answer.

The reason PHP source code does not appear is that it is not HTML code, it is executed/interpreted by the server and this code produces HTML code.

I was able to mention this myself when trying to make a basic PHP code (Hello World) in an HTML page without a server running behind it, and my browser (Chrome in this case) simply commented on the PHP code when opening the page. I was frustrated at the time. But after researching, I saw that the PHP code is used by the server, not the browser, so a trial environment for PHP should have a local server, like a Tomcat or something similar.

In short: PHP is processed by the server and the browser only receives its results and processes them for viewing. Making the browser run PHP code would be dangerous, in my opinion, as it would open up many security loopholes.

3

Browser does not have the resources to run a PHP logic, only Javascript logics.

The browser itself, takes and renders the HTML considering whatever style is defined by the CSS. At the same time, it also has the power to interpret the logic of Javascript, which is what empowers the pages.

Who has the power to interpret PHP is the WEB server. Which interprets and fires the HTTP package with the HTML body (html, css and js).

The browser has a Javascript engine, which is type PHP interpreter on the server, but does not run PHP, only Javascript.

To answer your question, yes, you can put information in your PHP that, in theory, it cannot be displayed to the user in any way.

I say in theory because, if the application is not safe or there are bugs that you have not seen, some user can do something unexpected and break its logic, generating errors and allowing (maybe) the information contained in PHP to go to the browser because of the error. But, I repeat, this does not mean that the browser will run the code, it does not have 'power' for this.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.