JOB: LAMP Artisan

Gary Thornock gthornock at yahoo.com
Wed Feb 26 12:15:17 MST 2014


>>> Some configurations of PHP and/or Apache make it possible to view the
>>> source of a PHP file from over the web, including the aforementioned
>>> global configuration file.

>> Well, that would be a problem, yes. But that's due to poor configuration in
>> the apache config file, not due to any problems in the PHP language. The
>> same misconfiguration can result in dumping Perl, Python, Ruby, etc....

> Actually, this is not really possible with Python, Ruby, or Java, since
> the code generating the page is never accessible to the web server.
> It's outside the webroot. The only interface to it is the callable
> interface (the API).

That's mainly because Python and Ruby don't have corresponding Apache
modules.  (Java, of course, is an entirely different case.)  This problem
would really only come up with mis-configured mod_php and maybe mod_perl.
And it's mainly a configuration problem, although there are steps you can
take (designing your application so that the code resides outside the
document root) to prevent it even when a server is configured badly.

A small collection (or a large collection grown over time) of PHP scripts
might exist inside the web root.  That's not uncommon, and in the case
of a one-off script, it's not necessarily bad.

A larger application that was designed from the beginning to be a large
application would generally take issues like this into account and
structure the code accordingly.


More information about the PLUG mailing list