If you are talking about someone else's server, then the short answer is no. If third parties could read your PHP source code, that would be quite a security hole, since PHP files tend to contain database passwords, hash keys, proprietary algorithms and other goodies that you don't want falling in the wrong hands.

如果您在谈论其他人的服务器，那么简短的回答是否定的。如果第三方可以读取您的 PHP 源代码，那将是一个相当大的安全漏洞，因为 PHP 文件往往包含数据库密码、哈希键、专有算法和其他您不希望落入坏人之手的好东西。

If you are talking about your own server (ie. that you yourself have access to), then there are simple scripts that you can put on the server, that allow you to specify a path to any file on the server and have it returned as plaintext. However, you NEVER EVER want to place such a script on a production server, for the reasons mentioned above.

如果您在谈论您自己的服务器（即您自己可以访问），那么您可以将一些简单的脚本放在服务器上，这些脚本允许您指定服务器上任何文件的路径并将其返回为纯文本。 但是，出于上述原因，您永远不想将这样的脚本放在生产服务器上。

Generally speaking, you can't access remote source code. The PHP module would have to be disabled for this to occur.

一般来说，您无法访问远程源代码。要发生这种情况，必须禁用 PHP 模块。

But as a thought experiment, how might this happen?

但作为一个思想实验，这怎么会发生呢？

Leaving aside wholesale exploits which get access to the entire filesystem, imagine if there were a security hole in an application which allowed you to insert an line into an .htaccess file. Given that an .htaccess writable by the httpd process is useful for apps like Wordpress, it's not too outlandish a possibility.

撇开可以访问整个文件系统的大规模漏洞利用，想象一下应用程序中是否存在允许您将一行插入到 .htaccess 文件中的安全漏洞。鉴于 httpd 进程可写的 .htaccess 对 Wordpress 等应用程序很有用，这种可能性并不太奇怪。

If you added this:

如果你添加了这个：

php_value engine off

The source files now become downloadable!

源文件现在可以下载了！

It is possible if the server is not well configured that PHP files are not handles as such.

如果服务器配置不当，则 PHP 文件可能无法处理。

Some examples:

一些例子：

• Some servers are configured to show the highlighted source code of a PHP filewhen requested as .phpsinstead.
• Some developers use .incfor files that are intended to be included using includeor require. If the server is not configured to handle these as PHP as well, they will be delivered as plain text when they are requested directly.

• 某些服务器配置为在请求时显示突出显示的 PHP 文件源代码.phps。
• 一些开发人员.inc用于打算使用include或包含的文件require。如果服务器未配置为也像 PHP 一样处理这些，则在直接请求它们时，它们将作为纯文本传送。

But the developer can also be the source of vulnerability. For example when he uses a script for downloading files from the server and this script accepts nearly every input without validation.

但开发人员也可能是漏洞的来源。例如，当他使用脚本从服务器下载文件时，该脚本几乎接受所有输入而无需验证。

If the file is served from a web server that has php interpretation enabled (via HTTP) then it will be processed. The only way you'd receive the code unprocessed is if PHP was disabled somehow.

如果该文件是从启用了 php 解释（通过 HTTP）的 Web 服务器提供的，那么它将被处理。您收到未处理代码的唯一方法是 PHP 是否以某种方式被禁用。

I have encountered a mis-configured web server in the past that had one virtual host properly setup to server PHP files via the PHP interpreter. There was a second virtual host pointing at the same directory, but didn't have php enabled. This meant things like the 'config.php' for several apps where visible as plain text. As everyone knows a typical config.php has database auth credentials and other things that shouldn't be known.

过去我遇到过一个配置错误的 Web 服务器，它有一个正确设置的虚拟主机，可以通过 PHP 解释器为 PHP 文件提供服务。有第二个虚拟主机指向同一目录，但没有启用 php。这意味着一些应用程序的“config.php”之类的内容以纯文本形式可见。众所周知，典型的 config.php 具有数据库身份验证凭据和其他不应该知道的东西。

So, it is very important to understand your web server setup, and make sure you aren't doing something silly.

因此，了解您的 Web 服务器设置非常重要，并确保您没有做一些愚蠢的事情。