[Pmwiki-users] Re: Safer .php-files

Patrick R. Michaud pmichaud
Fri Feb 27 08:53:19 CST 2004


On Fri, Feb 27, 2004 at 03:17:25PM +0100, Thomas -Balu- Walter wrote:
> On Fri, Feb 27, 2004 at 01:36:22PM +0100, Christian Ridderstr?m wrote:
> > Could someone comment on the risk of showing the contents of the php file?
> > I.e., why do an exit() instead of showing the file?
> 
> PHP files might contain configuration variables and similar.

Specifically, local/config.php often contains site-wide passwords, sometimes
in cleartext depending on how the administrator has entered them.  :-)

> > PS. For the files in scripts/ this isn't very important, but in order 
> > to document/let other see your configuration files, it's convenient to 
> > be able to show them somehow.

If you want to show the .php files, I suggest symlinking them into pub
somewhere and putting an AddType directive or equivalent.

> Your server might not be configured to do so, but copying/linking them
> to a file with the ending .phps will show them syntax highlighted.

Now *this* is useful, I wasn't aware of this option!  Now I've just added
the line

        AddType application/x-httpd-php-source .php

to .htaccess files in my pub/ and upload/ directories and now .php files
are displayed with syntax highlighting.  Much better than the text/plain
option I was using before that didn't work under IE!  Thanks!

(See, for example, http://www.pmichaud.com/uploads/Cookbook/smileys.php .)

One could possibly also do:

    <?php 
        if (!defined('PmWiki')) 
          { highlight_file($_SERVER['SCRIPT_FILENAME']); exit(); }
    ...
    ?>

at the beginning of .php files to automatically display the source prior
to exiting.

Pm



More information about the pmwiki-users mailing list