I am quite new to PHP and this concern came to my mind after playing around a bit with it...

When PHP is not correctly configured on the web server the source code of a php file we try to access through a browser will be shown instead of the result of the code itself. This will normally not happen when PHP is working properly, but I was just wondering if it could still be possible to see that code if a user wanted to or if something on the server failed.

This would for example expose sensitive information like mysql passwords and so on...

Is anything like that possible and/or likely to happen?

thanks!

Is it possible if the server is not setup right? Yes. Php has extensive logging abilities. You can log to error logs, or display errors straight into pages that are outputted. This displaying of errors is useful in production/development machines only, as the web programmer can easily find out what error it is without consorting to error logs. Of course, this should be disabled in the final version which goes online, as we don't want visitors seeing sensitive data do we? For some reason, I find a lot of web servers don't do this.

In php.ini - I *think* it's display_errors. You'll need to find out yourself, or ask and let someone else answer. Minus this, there isn't a really easy way to simply see the source code. Naturally, if someone was to hack into your ftp account, and steal/download the php files, they'd get the php source.

Normally, if you want someone to view the source code of a PHP file, you just end the PHP file with the extension "phps". Most Apache configurations have it set up like that. It's not necessarily PHP's configuration that deals with the scenario you're talking about, it could just be how the server has its extensions set up. Another reason why a PHP file would output its source code is when PHP itself is not installed.

I don't think so, if it did it would probably be the fault of the server.

If you want people to be able to see the source code put the extension to something like .txt or .phps

thank you guys for your answers!

so just to wrap it up, it seems like the possibility of unwanted disclosure of php code in browsers is quite remote, unless we want it to happen by explicitly indicating it (for example changing the extension to phps or txt depending on the server configuration)

anyway nothing is impossible and ultimately is up to the server to do a good job and prevent that to happen

Unfortunately. this exact issue happened to me. Apparently xisto was updating their version of php and for about an hour the php code was not being parsed out. My only suggestion is to hide the sensitive information that you do not want to be revealed in a directory that only php can access and not a client.

Well, under normal circumstances, the code is not revealed. It is parsed from the server and is not shown in the HTML source. If something fails though, the source could leak out. I would just suggest to make it so that only PHP can read sensitive files, and that the browser cannot access them.

I think these are very good and simple suggestions to work around the issue thanks