Can anyone get access to my PHP source code?
With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.
So, in other words, if you visit your website and you see a HTML page and not PHP code, your server is working correctly and no one can get to the PHP code.
Can a client view server-side PHP source code?
No, unless
- There is a server misconfiguration
- There is a bad echo/include somewhere
Is it possible for someone to read or write my .php files on the server if they have world read/write permissions?
Yes and no. Can anyone who is viewing the files over the net? No. However, anyone with the ability to log on to your machine could change the files (since they are world readable / writable.) In general, this isn't a good practice. I'd advise not permitting more than 775. If you are in a hosted environment, this shouldn't be a problem though.
How can I view PHP source code on a live site?
No, as it is interpreted on the server-side and the results are sent to the user. If you want to view the source code of a site you control in-browser, consider the FirePHP extension for Firebug, or just access your site files with your preferred method.
How do I read the source code without access to file
You can technically see the function content using Reflection, but you must include the file.
function thatIsMyFunction($a) {
$x = $a * 3 / ($a + 7);
return $x;
}
function function_dump($function) {
try {
$func = new ReflectionFunction($function);
} catch (ReflectionException $e) {
echo $e->getMessage();
return;
}
$start = $func->getStartLine() - 1;
$end = $func->getEndLine() - 1;
$filename = $func->getFileName();
echo implode("", array_slice(file($filename),$start, $end - $start + 1));
}
function_dump('thatIsMyFunction');
// will dump
/*
function thatIsMyFunction($a) {
$x = $a * 3 / ($a + 7);
return $x;
};
*/
Best way to prevent someone reading the source code
Hiding PHP Code
If you're worried about PHP source code, providing you're keeping it on your server and not distributing it, it's all down to keeping your server secure. Nobody can read it without server access (or the mis-configuration of your server). You've included the mysql
tag, you can apply the same logic as PHP for that.
Obfuscating HTML
There is little to no point, if someone wants your markup, a few entities here and there aren't going to stop them. See here
Is it possible to read php code from other sites?
It is only possible if the site's owner intentionally makes the code publicly available, or if the site has a very critical security hole. Usually, no, you cannot read other people's server-side code.
After all, we'd have huge problems if you could just read any server-side code you wanted. If, say, a bank's website were built in PHP, it would be important that raw PHP files could not be read by the public: they might contain private data like database passwords, or simply make it much, much easier to find other key security issues, since, after all, which is easier—finding problems with code you can see, or code you can't see? As much as I am a fan of open-source coding, I would not put my money in any bank that makes its source code available. It's just too risky.
However, if you're interested in learning, there are plenty of open-source web applications out there. Try searching Github for, say, projects written in PHP. It's definitely a good idea to read other people's code, and I'm sure you could find some stellar examples of real-world code if you know where to look. Additionally, if you ask nicely, a website owner may be willing to share parts of the source code with you, though probably not all of it, for security reasons. Couldn't hurt to ask.
Can a PHP file ever be read externally?
Well yes, if they ever actually hack into the server (SSH, FTP etc.), they may have access to files on the hard disk. A properly configured Apache server will not serve raw PHP files though, it should always process them with the PHP interpreter first.
To avoid problems with misconfigured Apache servers though (even just temporary glitches), it's advisable to keep the application files outside the public webroot. Put only a small bootstrap PHP file into the webroot which may be exposed in a pinch, but which just includes
other PHP files which are not publicly accessible.
Related Topics
Prevent Direct Access to a PHP Page
How to Include File Outside Document Root
How to Setup a Cron Job in Magento Module
Remotely Connecting to a MySQL Database
Recursive Function to Get All the Child Categories
Create Table with PHP and Populate from MySQL
Detecting Whether a User Is Behind a Proxy
What Security Problems Could Come from Exposing PHPinfo() to End Users
Replace Deprecated Preg_Replace /E with Preg_Replace_Callback
How to Take an Array, Divide It by Two and Create Two Lists
Laravel 5.3 Withcount() Nested Relation
Secure User Image Upload Capabilities in PHP
Paypal Sandbox Ipn Always Returns Invalid
Convert Array of Paths into Ul List
MySQL or PHP Is Appending a  Whenever the £ Is Used