Can PHP source code be accessed by non-hackers on your website?

Started by sebastian, Feb 07, 2023, 04:11 AM

Previous topic - Next topic

sebastianTopic starter

If your website consists of PHP pages containing HTML code, located in the root folder on hosting, users opening the developer tools in their browser will only see the generated HTML code.

However, is it possible for them to view the source PHP code without hacking the server? One way they might be able to do so is through programs designed for saving pages and viewing them offline.



If PHP were to fail while Apache continues to work, it is possible for users to access the source code if they know how to reproduce this rare occurrence. However, several websites have also been known to inadvertently give out source code instead of processed PHP.

It's important to note that accessing files the user isn't allowed to see can have negative consequences, such as causing harm or revealing sensitive information. To prevent this, it's recommended to ensure that only one PHP file (index.php) is accessible via HTTP in the directory, allowing it to interact with other PHP files located one level higher up in the directory.


The PHP code executes on the server and generates the page as seen in your browser. This means that only the compiled HTML resulting from the PHP file is sent to the client and not the file itself. Accessing the PHP file through a browser is only possible via FTP.

When first learning PHP, it's important to write in a way that is both convenient and understandable for yourself. As you gain more knowledge, you'll naturally begin the refactoring process, replacing old code with improved versions at your current level. Concepts like CNC and routing will come into play, leading to links that appear as localhost/registration instead of localhost/registration.php and with only a single index.php file located in the public directory.


There may be instances where you want to output the PHP code of a program either directly onto the browser screen or read and transmit it as text. Is it possible to pass the PHP script code in its initial server file form? This article explores a short PHP program that sends its own code to the browser upon access and presents two different options - how to transfer the PHP program code for reading and view the source code of the PHP script in its original stored form.

One option is to transmit the PHP program code to the browser using a program that outputs its own code to the browser. The PHP script runs, automatically determining which script code needs to be transmitted for viewing, and crawls through the file line by line. Though this approach works successfully, it contains some minor issues with formatting when pasted elsewhere.

An alternative option that avoids HTML markup errors is to pass the value of the $line variable directly to the browser and comment out the line with formatted output. Upon browser inspection of the resulting page code, viewers will then see the original PHP code with spaces, tabs, and everything else in its initial form on the server.

Overall, both methods offer a way to view the PHP code of any script located on the server given appropriate server access and can be useful when assembling PHP scripts.