- Who can normally read the code of the PHP files?

actual code, only people with ftp/ssh/telnet access. Since php is a server side language any requests through http/https are processed before they are served. The browser only receives the html output from the script requested.

- Can regular users download PHP files from my server and watch the code on with their favorite text editor?

not unless something is misconfigured.

- How can I prevent users from viewing the actual code of the PHP files?

only put php code in files with extensions that are parsed by php. Anyone requesting these files will only receive the output not the script. Avoid the common mistake of using .inc or .lib when they are not run through the parser. Calling these files will display them in plain text in a browser. Three options

1. use .inc.php and .lib.php
2. use the AddType directive in apache to make these extensions parsed by php
3. put the distinction in the name section1_lib.php global_inc.php

- How can I prevent users from listing the files I have in certain directory, say [site.com...]

This is an apache configuration issue. I it is the DirectoryIndex directive in apache conf.

As far as where to put your passwords. I always store them in a .php file and usually put them above the root of the site. That way they can't be requested through a browser.

Thank you jatar_k,

You were very detailed, that helped a lot.

About the passwords, what if I can't access directories above the root directory (I'm on a shared server)?

Thanks in advance.

Roy.

Then put the password file in a protected directory. Make sure to use an invalid password file, so that there's no correct password.

"Make sure to use an invalid password file, so that there's no correct password."

I don't follow you man, can you clarify again?

Thanks,

Roy

I think he means you should put the password in a protected directory and then put a bogus pw file in your main directory as a decoy.

How can I prevent users from listing the files I have in certain directory, say [site.com...]

Many webservers will look for an index.php or index.html file by default in any directory. You could put one in your directory, redirecting the user to the main site.

But if I won't do that, will people be able to list the files I have in the directory?

Thanks,

Roy.

Most likely: yes. I suppose webservers can be configured not to, but I wouldn't know how to do that. There is of course an easy way to find out: create such a directory without an index file and try opening it with a browser. :)

invalid password file

What I meant was modify the .htpasswd file so that it does not contain a valid encrypted password.

I don't use .htpasswd

Should I?

Roy

The .htaccess file in my local php dir (ie, the stuff included from everywhere else) is very simple -

Order deny,allow
Deny from all

which basically stops the server letting anyone see it - better imho than a non-existant password...

Robin