[Pmwiki-users] Re: Safer .php-files
Patrick R. Michaud
pmichaud
Fri Feb 27 08:53:19 CST 2004
On Fri, Feb 27, 2004 at 03:17:25PM +0100, Thomas -Balu- Walter wrote:
> On Fri, Feb 27, 2004 at 01:36:22PM +0100, Christian Ridderstr?m wrote:
> > Could someone comment on the risk of showing the contents of the php file?
> > I.e., why do an exit() instead of showing the file?
>
> PHP files might contain configuration variables and similar.
Specifically, local/config.php often contains site-wide passwords, sometimes
in cleartext depending on how the administrator has entered them. :-)
> > PS. For the files in scripts/ this isn't very important, but in order
> > to document/let other see your configuration files, it's convenient to
> > be able to show them somehow.
If you want to show the .php files, I suggest symlinking them into pub
somewhere and putting an AddType directive or equivalent.
> Your server might not be configured to do so, but copying/linking them
> to a file with the ending .phps will show them syntax highlighted.
Now *this* is useful, I wasn't aware of this option! Now I've just added
the line
AddType application/x-httpd-php-source .php
to .htaccess files in my pub/ and upload/ directories and now .php files
are displayed with syntax highlighting. Much better than the text/plain
option I was using before that didn't work under IE! Thanks!
(See, for example, http://www.pmichaud.com/uploads/Cookbook/smileys.php .)
One could possibly also do:
<?php
if (!defined('PmWiki'))
{ highlight_file($_SERVER['SCRIPT_FILENAME']); exit(); }
...
?>
at the beginning of .php files to automatically display the source prior
to exiting.
Pm
More information about the pmwiki-users
mailing list