So I know that any PHP code that you have on a webpage doesn't show up when you view source as it is run server side and only the HTML output is shown, but how easy is it for someone to get access to that script. For example, say I have a site that you login with. Once you hit submit, it accesses another script for authentication. That script contains the address, name, username and password of the database I need to access to authenticate.

How easy is it for someone to actually look at that php coding and get that information. Any suggestions on how to better blockade that information.

They would not need to see the code itself as many request are transmitted in clear.

If you want to prevent this then you need to encrypt your post data or you can use https with SSL.

Ibbo

No end user will be able to see your PHP code unless your server is sending it as plain text (ie. .php extension isn't registered to be interpreted as PHP).

If you want to be extra secure, create a separate 'config' file that holds your sensitive data (passwords etc) and place it outside of your public web directory. Most servers have a public_html/ directory which is used to store all of your files. If you place it somewhere out of this directory, no user will ever be able to access it from the web (unless they've got FTP access etc). You can then just include() the file.

ibbo, I think Nahele means information in the actual PHP code (like database passwords etc), not the form data the user is submitting to the server.

how about using the PHP encoders like sourceguardian.com and ioncube.com ???

Those work too (Don't forget Zend Encoder!)

"ibbo, I think Nahele means information in the actual PHP code (like database passwords etc), not the form data the user is submitting to the server."

Ah well.

Keeping sensitive files outside your docroot is the way forward and I even extend it requiring a class to load another class. (which is a bog standard factory pattern).

Ibbo

I recommend only putting your static documents in the Document Root along with a few php stub files (front controllers) and then moving all the rest of the PHP files outside of the Document Root.

How about if you have the config folder in a password protected folder in the root - does that work?

Thanks for all the notes, but the host for this site is not like the others I've worked with. Usually there is a specific folder that all pages go into and then other folders for scripts that people don't have access to, but this is just a folder that everything goes in and where my index.html is. Can I possibly create a folder in my root and set the permissions of that folder where it is not accessible to the public...what should that permission value be if I will have scripts that authenticate users in it...maybe 711 (or drwx--x--x)?