User permissions and PHP security

[YppBay]

I've been running into a problem recently and don't know how to work around it. The issue is that when accessing a database (MySQL) with PHP, you login with a username/password in your PHP script. This is all fine and dandy, but how do you keep your visitors from downloading the PHP script and finding the username/password directly from there? How do you, for instance, have a registration form with a PHP script it posts to, and allow the PHP script to access the database without allowing visitors to see the script?

 

[Brandon]

How can they downloaded the PHP script, to see the username/password etc you usually need to view them in FTP, etc.

You shouldn't be seeing it through the web browser.

 

[YppBay]

ok, I'm not sure if I'm understanding the file permissions correctly. If I take a PHP script and set the permissions to 0751, then that will allow me as the administrater to read, write, and execute it, and it will allow the site visitor to only execute it, but not read the script contents. Is this correct, and are there any caveats that I should be aware of?

Furthermore, I'm running WAMPserver 2.0 in offline mode on my local box as a test bed prior to putting it up "live" on x10. If anyone has experience with apache on windows, how do I set the unix-style file permissions in a windows environment?

 

[SyncViews]

The only normal way a user will get the password data from a php script is if they downloaded it with ftp which should be password protected anyway.

Pretty much everything else results in the server running the script and sending only the html to the user (and other client side stuff like the script for the ads)

 

[YppBay]

ok, I did some messing around, and I didn't realize that the http server will never serve up the PHP source and will always interpret it first before serving it out. This solves my whole problem.

 

[spork]

Yea, php is server side scripting as opposed to javascript which is browser side. It's impossible for someone to see your php code.

 

[Slothie]

Unless of course the php parser on the server breaks down and dies.

 

[eddysweb]

yea, PHP is server side which means that their browser never even sees the script, HTML and Javascript are client-side scripts which means that their browser produces them while PHP is server side meaning the opposite, the server (x10hosting) runs the scripts and sends the output. This means that all your php code is safe, the only way it can be seen is if an error happens and it shows the php.