If the script is readable by the web server (which it must be in order to be parsed) and the web server only runs as one user (which it usually does) then your scripts will be readable by other users on the same server and anyone with command line or telnet/ssh access will have at least read-only source code access to your application.
You generally do not have to worry about other sites seeing your source code because PHP is a server-side language so the source is parsed before any content is sent, you would mostly worry about this if a misconfiguration on the server resulted in .php files being sent as some other content type and not being parsed by PHP. Jason On Tue, 2003-02-18 at 00:00, Nate wrote: > I wonder though, if they're on a the same server but different sites. Like a > shared host environment. Aw the things the bewilder the mind. > > Nate > > "Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message > 000001c2d710$81a68e20$6301a8c0@ukiuki">news:000001c2d710$81a68e20$6301a8c0@ukiuki... > > That is called Cross-Site Scripting (XSS). > > I have not been able to get access to the variables via an XSS exploit. > > It appears that Apache renders the php code before sending off the > > requesting include function. > > > > I also like the .htaccess way of preventing user access to the scripts. > > This is also worthy of further investigation. > > > > Bryan > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
