Single PHP file - *.php = process, *.phps = source.

Hi All,

Hoping for some direction here (I have searched, without avail, for a
solution already).

I was toying with trying to find a way whereby I could have a single
PHP file, and then specify whether to either see the processed output
or the source code by using the extensions php and phps (respectively).

So, with one file called "theFile.php" on the server, going to
"www.server.com/theFile.php" would show the end result of the php
actions, whereas going to "www.server.com/theFile.phps" would show the
actual content of the file itself.

I thought this could be done by modifying the htaccess file as follows:

AddType application/x-httpd-php-source phps

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)\.phps$ $1.php

However this does not work:
- if a *.php file exists, then accessing *.php or *.phps returns the
end result of the php actions.
- if a *.phps file exists, then accessing *.php returns a 404 error,
and *.phps shows the actual file contents.

Looking for any direction, references, or assistance.

Thanks

On Fri, 26 Jan 2007 02:04:18 +0100, Lucanos <lucanos@gmail.com> wrote:

> Hi All,
>
> Hoping for some direction here (I have searched, without avail, for a
> solution already).
>
> I was toying with trying to find a way whereby I could have a single
> PHP file, and then specify whether to either see the processed output
> or the source code by using the extensions php and phps (respectively).
>
> So, with one file called "theFile.php" on the server, going to
> "www.server.com/theFile.php" would show the end result of the php
> actions, whereas going to "www.server.com/theFile.phps" would show the
> actual content of the file itself.
>
> I thought this could be done by modifying the htaccess file as follows:
>
> AddType application/x-httpd-php-source phps
>
> RewriteEngine on
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule ^(.+)\.phps$ $1.php
>
> However this does not work:
> - if a *.php file exists, then accessing *.php or *.phps returns the
> end result of the php actions.
> - if a *.phps file exists, then accessing *.php returns a 404 error,
> and *.phps shows the actual file contents.
>
> Looking for any direction, references, or assistance.

First of all, let's make it clear that what you want is a major, major
security risk... Add very rigid security fot the ones allowed to see the
code, both in authenticating and in what directories they are allowed to
see.


Now, for your solution:

Make 2 files:
----highlighter.php-----
highlight_file($_GET['file']);
------------------------

---.htaccess:-----------
RewriteCond $1.php -f
RewriteCond $1.phps !-f
RewriteRule ^(.*)\.phps$ highlighter.php?file=$1
------------------------

Voilà.
--
Rik Wasmus

Lucanos wrote:

> I was toying with trying to find a way whereby I could have a single
> PHP file, and then specify whether to either see the processed output
> or the source code by using the extensions php and phps (respectively).

As Rik said, for production code this can cause security problems. Of
course, properly secured code doesn't rely on security-through-obscurity,
but still, obscurity helps sometimes.

That said, I often use it as a technique when posting example code for
people.

Method one: symbolic links. Create the file mycode.php, then create a
symbolic link to it using the following command and the command line:

ln -s mycode.php mycode.phps

This effectively creates two copies of the file, one called "mycode.php"
and one called "mycode.phps", but any updates to the PHP file will also
show up in the PHPS file.

Method two: PHP. Add the following code to the top of each PHP file:

<?php
if ($_GET['source'])
{
highlight_file($_SERVER['SCRIPT_FILENAME']);
exit();
}
?>

You can now add "?source=1" to a URL to show its source.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

> I was toying with trying to find a way whereby I could have a single
> PHP file, and then specify whether to either see the processed output
> or the source code by using the extensions php and phps (respectively).
>
> So, with one file called "theFile.php" on the server, going to
> "www.server.com/theFile.php" would show the end result of the php
> actions, whereas going to "www.server.com/theFile.phps" would show the
> actual content of the file itself.


I would do this in another way: create a PHP script that takes a
filename as a parameter, checks this to see if it is a file that is
allowed to be seen, and sends the contents of the file as plaintext to
the browser.

You would call it with something like
www.server.com/showsource?file=theFile.php

Of course, you can instruct apache to turn that into any other URL with
rewriting.

Best regards

On 26 Jan, 09:52, Dikkie Dik <nos...@nospam.org> wrote:
> > I was toying with trying to find a way whereby I could have a single
> > PHP file, and then specify whether to either see the processed output
> > or the source code by using the extensions php and phps (respectively).
>
> > So, with one file called "theFile.php" on the server, going to
> > "www.server.com/theFile.php" would show the end result of the php
> > actions, whereas going to "www.server.com/theFile.phps" would show the
> > actual content of the file itself.I would do this in another way: create a PHP script that takes a
> filename as a parameter, checks this to see if it is a file that is
> allowed to be seen, and sends the contents of the file as plaintext to
> the browser.
>
> You would call it with something likewww.server.com/showsource?file=theFile.php
>
> Of course, you can instruct apache to turn that into any other URL with
> rewriting.
>
> Best regards

You were on the right track before
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} \.phps$
RewriteRule . highlighter.php


then as previous has been said, you must take steps to ensure that your
php source code (and include files which _should_ end in php for
security but) which might have sensitive path details and table names
for databases cannot be downloaded. (your password files shoud of
course not be stored in the web dec root anyway)

So your highlighter file could simply check whether your allow list
includes the file to be higlighted, however this means you have to
maintain an allow list, perhaps instead the script to be highlighted
could be opened and checked for a "control statement"

an example of a file you have written that you want to make available
would be

<?php
#show-source true,0

// non sensitive code

?>
in the above "true,0" means any user level can see it.

your highlighter file should do 3 things,
check the file to make sure it is indeed php code, stripping off the
first line and parsing for the "source control" comment,

connect to a DB (or sqllite db) to keep an up to date list of all the
scripts it has
a) been asked to serve as source for which no show-source comment was
present
b) files which it has been asked to serve as source for the first
time (it should use your public key to encrypt an email to you with
this with a clickable link and one time hash)
c) maintain list of IPs that have succeeded in viewing the source
serve the source as html.

doing it this way means you
a) do not have to maintain a whitelist within your higlighter script,
b) can find all the files you are allowing by just checking your DB.
c) can secure you source using "user" levels, IP lists and so on,
setting a table in your DB to handle the mapping.
id user1/ip userlevel
....

where another table has
file IP timestamp

Now only those people who gain file system access to your code can
modify a document to include the control statement to show source -
which is game over anyway - if they have file system privs then they
can just grab the lot.

Now write a php script that takes an md5 of all your files each night
and DB them, refuse to send code if the higlighter script has changed
md5, or any of the other files (which someone might try to alter)
unless you have clicked on the email link when it is requested for the
first time.
As the highlighter file is hard coded in the rewrite, and (hopefully)
youre not using htaccess, the highlighter can be harder to pin down in
terms of location, and stands a good chance of going un-noticed.

I realise this isnt totally secure, but it works for me, and in
practise the amount of source code files you serve is small, and so the
clickable email links are not a hassle, as usually when you are
displaying code in this was it is pretty much finished.

In case anyone thinks I'm a little paranoid - tripwire -> DB can really
save time when you've had a PHP worm rip through your servers 100,000
files! And the peace of mind is worth the overhead, after all you only
code all this once!