Linux 可以查看网站的PHP代码吗?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/2995360/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-03 20:06:45  来源:igfitidea点击:

Possible to view PHP code of a website?

phphtmllinuxsecurity

提问by

Is it possible to somehow view another websites php files/codes?

是否可以以某种方式查看其他网站的 php 文件/代码?

Or to rephrase the question, Can my php codes be viewed by anybody except for those who have access to the file?

或者重新表述这个问题,除了有权访问该文件的人之外,任何人都可以查看我的 php 代码吗?

If so, how can I best prevent this?

如果是这样,我怎样才能最好地防止这种情况?

Ps: Server OS is Ubuntu 9.10 and PHP version is 5+ (Apache2)

Ps:服务器操作系统为 Ubuntu 9.10,PHP 版本为 5+ (Apache2)

采纳答案by Artelius

A bug or security vulnerability in the server (either Apache or the PHP engine), or your own PHP code, might allow an attacker to obtain access to your code.

服务器(Apache 或 PHP 引擎)或您自己的 PHP 代码中的错误或安全漏洞可能允许攻击者访问您的代码。

For instance if you have a PHP script to allow people to download files, and an attacker can trick this script into download some of your PHP files, then your code can be leaked.

例如,如果您有一个允许人们下载文件的 PHP 脚本,并且攻击者可以欺骗该脚本下载您的某些 PHP 文件,那么您的代码可能会被泄露。

Since it's impossible to eliminate all bugs from the software you're using, if someone reallywants to steal your code, and they have enough resources, there's a reasonable chance they'll be able to.

由于不可能消除您正在使用的软件中的所有错误,如果有人真的想窃取您的代码,并且他们有足够的资源,那么他们很有可能做到。

However, as long as you keep your server up-to-date, someone with casual interest is not able to see the PHP source unless there are some obvious security vulnerabilities in your code.

但是,只要您使服务器保持最新状态,除非您的代码中存在一些明显的安全漏洞,否则有兴趣的人将无法看到 PHP 源代码。

Read the Security section of the PHP manualas a starting point to keeping your code safe.

阅读PHP 手册安全部分作为保证代码安全的起点。

回答by BillThor

Noone cand read the file except for those who have access to the file. You must make the code readable (but not writable) by the web server. If the php code handler is running properly you can't read it by requesting by name from the web server.

除了有权访问该文件的人之外,没有人可以读取该文件。您必须使 Web 服务器可读(但不可写)代码。如果 php 代码处理程序运行正常,则无法通过从 Web 服务器按名称请求来读取它。

If someone compromises your server you are at risk. Ensure that the web server can only write to locations it absolutely needs to. There are a few locations under /var which should be properly configured by your distribution. They should not be accessible over the web. /var/www should not be writable, but may contain subdirectories written to by the web server for dynamic content. Code handlers should be disabled for these.

如果有人破坏了您的服务器,您将面临风险。确保 Web 服务器只能写入它绝对需要的位置。/var 下有几个位置应该由您的发行版正确配置。不应通过网络访问它们。/var/www 不应是可写的,但可能包含由 Web 服务器写入的动态内容子目录。应该为这些禁用代码处理程序。

Ensure you don't do anything in your php code which can lead to code injection. The other risk is directory traversal using paths containing .. or begining with /. Apache should already be patched to prevent this when it is handling paths. However, when it runs code, including php, it does not control the paths. Avoid anything that allows the web client to pass a file path.

确保你没有在你的 php 代码中做任何可能导致代码注入的事情。另一个风险是使用包含 .. 或以 / 开头的路径进行目录遍历。Apache 在处理路径时应该已经打过补丁来防止这种情况发生。但是,当它运行代码(包括 php)时,它不控制路径。避免任何允许 Web 客户端传递文件路径的内容。

回答by wimvds

By using exploits or on badly configured servers it could be possible to download your PHP source. You could however either obfuscate and/or encrypt your code (using Zend Guard, Ioncube or a similar app) if you want to make sure your source will not be readable (to be accurate, obfuscation by itself could be reversed given enough time/resources, but I haven't found an IonCube or Zend Guard decryptor yet...).

通过使用漏洞或在配置不当的服务器上,有可能下载您的 PHP 源代码。但是,如果您想确保您的源代码不可读,您可以混淆和/或加密您的代码(使用 Zend Guard、Ioncube 或类似的应用程序)(准确地说,如果有足够的时间/资源,混淆本身可以被逆转) ,但我还没有找到 IonCube 或 Zend Guard 解密器......)。