Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Henrik Christensen
seal-mask
.a{fill-rule:evenodd;}techdegree
Henrik Christensen
Python Web Development Techdegree Student 38,322 Points

Question about PHP code visibility

Hi,

I finally finished my first PHP website and I got a question before uploading the final product.

Is it possible for other people to view my php when inspecting my site to see my php-code, or is it 100% hidden for others?

I'm asking because I got an API key (username/password) for my mail-server in my php-code and I don't really want people being able to see it. In case it's not 100% hidden, how do I hide it then?

Daniel Box
Daniel Box
1,939 Points

When it comes to security on the web everything is always a measure of secure.

It reasonable in your case though to say that you've responsibly hidden that API Key by putting it in PHP code.

The average user can not say, go an inspect your code and see that API.

So for all intents and purposes, you've done it write and it is hidden from others, good job!

1 Answer

The PHP is a program like any other program.The purpose of the PHP program is to parse the source code of files with the .php extension giving back a result, so, the source code is not available to the users.Take this example:

index.php

<?php

echo 'Hello, World';

When we access this in our browsers, at the URL address, let's say, http://localhost, we get back the result of parsing this php file, so the result is simply the output of that echo construct, Hello, World!

Something to point, never use the .inc extensions when you want to include/require a file ( still PHP file ) in a different PHP file, let me give you this example.

database.inc

<?php

$pdo = new PDO('mysql:host=127.0.0.1;dbname=test', 'root', 'root');

index.php

<?php

require_once 'database.inc';

echo 'Hello, world!';

If someone try to access by chance the address, let's say, this is just an example, http://localhost/database.inc it will see the content of that file ( your database information ), so you can try and see with your own eyes.Why this is happening? The .inc extension tells the PHP parser that this file should be included in another file, then parsed as a hole, so files with the .inc extension are not parsed by the PHP parser, their content is available to the user, so never use the .inc extension, use the normal .php extension.

Something more, if your server is not well configured, you can have big problems.Let's say you have a config folder, and inside it you have the database.php file wich holds database configuration.Someone that simply access the address, let's say, an example, http://localhost/config/ will be able to see the content of the config folder, with other words, the database.php file.Usually, all web servers are well configured, but to be sure, you can put an index.html file in such sub folders.The index.html file will be automatically loaded by the browser.There is another method by using an .htaccess file but that's too much.