I'm developing a PHP-application and have a PHP file with some utility functions. For example utils.php
:
function tidyUpDatabase(){
//do some stuff
}
function logoutUser(){
//do some stuff
}
This utility file is thought for including in other PHP-scripts that call theese functions. But of course it can be also requested directly via the webserver (e.g. https://localhost/app1/utils/utils.php
) which will deliver an empty page. Is that workflow vulnerable in some cases? Can someone call the functions inside the utils file over the webserver...?
CodePudding user response:
The answer is that a PHP file that is in the public folder can be called (unless protected by the attributes). But if it only has functions then they can not be executed. However, if you have code in there, outside the function that calls the function, then it may get executed.
The usual thing to do is to put your function files in a folder such as /lib. And then protect the folder so that it can not be read or executed. You can do this with a combination of access rights and .htaccess file if you are using something like apache.