In short I think what everyone is trying to say is: it depends on how your server is setup.
If you host your own servers then you need to read up on how PHP works in the chain of command and how its configured. If not, then reading up on the whole request and deliver process of HTTP where a scripting language like PHP / ASP is involved would be useful... but its unlikely that a commerical hoster would allow .php files to have their source viewd. To clear things up - if the extension you are using is being parsed by PHP (eg .php files are working correctly and a phpinfo() executes as expected) then there is *no known exploit* to get the source from that page. Thats not to say there isnt one we dont know about - and if your friend / collegue who informed you that it is possible, can ... then I would be (as would most of us on this list) most eager to find out how. If he can replicate the exploit, I have an open mind. For the record, there are only 3 ways of outputing PHP source on a "properly" configured webserver running PHP. 1. Placing a "show_source" PHP command in your PHP parsed script 2. Using .phps (only works on Unix AFAIK) 3. Outputing the code yourself using echo's / having badly formed code (eg: missing out the <?php at the begining exposing your php code as raw html). In all 3 cases it would be quite obvious (as your site would not function as intended). Also - for the record - if you cannot view the PHP source inside IE, then you cannot inside netscape, opera nor any other web browser as IE gets the same data as the rest of them (unless your doing some fancy stuff, by which you will already know the answer to most of your questions). Hope I havent been to confusing - Dan > On Thursday, June 13, 2002, 2:20:29 PM, you wrote: > >> I'm quite sure that this won't work... >> The server isn't delivering the php source, so the client >> will not get the source code but only the resulting code >> the script generated. >> So IMHO this is a "hoax". > > Unless your server has phps (source view) enabled. If it has then you > can see the source of any file by using the extension .phps. > > -- > Stuart > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
