View my PHP source code in a browser via a button

get php source code hack
how to extract php code from a website
how to get html source code of a website using php
php source code viewer
display php code in browser
php get html source code from url
show php source
can php code be seen

I'm trying to view my php source code in the form of a button. I've tried implementing the highlight_file() function, but haven't had much luck. It keeps returning "highlight_file(): Filename cannot be empty" or "failed opening". I'm super novice at PHP, but would really appreciate some guidance

<?php
    $file = $_GET["clientMain.php"];
    echo "<a class=\"btn btn-info btn-large\" role=\"button\"> Source Code for: " . $file . "</a>";
    highlight_file($file, TRUE);
?>

There are many problems with this code. Let me provide a solution, and then explain the issues and some words of caution.

1   <?php
2   
3       $requested_file = $_GET["requested_file"];
4   
5       if ($requested_file == "1") {
6           $filepath == "/path/to/file/mainClient.php"
7       } elseif ($requested_file == "2") {
8           $filepath == "/path/to/file/secondaryClient.php"
9       } 
10      
11      if (isset($filepath)) {
12          $output = highlight_file($filepath, TRUE);
13      }
14    
15   ?>
16  
17   <a href="http://example.com/?requested_file=1" class="btn" >View source for 'Main Client' file</a>
18   <a href="http://example.com/?requested_file=2" class="btn" >View source for 'Secondary Client' file</a>

PROBLEM #1: THE BUTTON

Your anchor tag is lacking an href, so it doesn't do anything. You see on line 17 that I added an href that will send a request to the server to fetch this page: example.com/. Notice the ?requested_file=1 key/value pair in the URL? This is how the $_GET array is populated. The "key" is requested_file and the "value" is 1

I added a second button on line 18 for illustrative purposes.

PROBLEM #2: $_GET AND SECURITY

In your example, you were trying to load the file name/path through the $_GET superglobal. This is extremely dangerous. Further, it doesn't appear that you fully understand how $_GET works - the parameter 'mainClient.php' inside `$_GET['mainClient.php'] identifies the "key" and not the "value". The value is sent by the user through the URL.

The $_GET superglobal is used for retrieving user-generated input from the URL string, in the form of a key/value pair. Because the user has full access to edit the URL sent to the server (and because it is visible), it presents significant security vulnerabilities if not used carefully.

Consider the case where the user types in the URL http://example.com/?mainClient.php=db-config.php. In this case, your code will fire and the file all-my-secrets.php will be revealed in all it's glory. That could be a very bad day for you.

In general it is very dangerous to use $_GET for anything other than signaling user actions from a list of pre-defined options. Allowing users to pass unsanitized data directly to your application is fraught with all kinds of risks, such as SQL-Injection, XSS attacks and more. Typically, $_GET is used safely for things like navigation, search terms, pre-defined actions, etc.

In my solution, I compare the $_GET request against a list of pre-defined numeric values (lines 5-9). If the $_GET['requested_file'] key has a value that matches one of my pre-defined numeric choices, then and only then can the file's content sent back to the browser. So, no matter what the user sends in the URL, they can't get anything other than the two files I have pre-determined to be safe to share. Notice also that the user doesn't have any clue what my file path looks like and I don't even have to reveal the file's name if I don't want to. Revealing that kind of information exposes me even more.

PROBLEM #3: EMPTY VARIABLES

The error "highlight_file(): Filename cannot be empty" is because your $file variable was empty when the URL did not specify a key/value pair for $_GET.

I have used the php isset() function on line 11 to prevent the call to highlight_file() if $filepath doesn't have anything assigned to it.

FYI - You were also having problems with your button text since it uses the same $file variable assigned by $_GET. This is unnecessary, so I hard coded the text I wanted to use with my button.

PHP: How to get (view) html source code of a website, is executed on the server before the website is sent to a browser. Because the rest of the code is just instructions for the web server, it isn't viewable. A view source or a save simply displays the results of the code—in this example, the text My PHP Page.

As Asenar says below, this is not something you want to expose to a public webpage, but if it's a local developer sandbox then you might use the following code:

<?php
$url = "http://localhost".$_SERVER['SCRIPT_NAME'];
$file = $_SERVER['SCRIPT_FILENAME'];
echo "<a href='$url'> Source Code for: " . $url . "</a>";
echo "<HR>File: $file:<BR>";
highlight($file,FALSE);
// or echo highlight_file($file, TRUE); 
?>

How to Use PHP in HTML, How can I get HTML code from a website using PHP? No, as it is interpreted on the server-side and the results are sent to the user. If you want to view the source code of a site you control in-browser, consider the FirePHP extension for Firebug, or just access your site files with your preferred method.

First of all, I have to say it's a really bad practice to allow to see code of any php file, this might be a serious security issue. So you might want to only allow a list of file.

You must provide the right path of your file, try to add the relative or absolute path to it.

How can I run a PHP script inside a HTML file?, Can we run PHP from HTML file if yes how? THE SUMMARY. Do up the HTML search form – The raw basic is to just have a single text box and submit button. Set the form action to a PHP search script. In the PHP search script – Connect to the database, do a search SQL on it. Finally, show the PHP search results in HTML.

The code you see after right click -> View Source is NOT the HTML code of the This request travels through your router and numerous other cables and And the php code before serving to Web browser is converted into html and In HTML, how do I code to send the mail when the button clicks, without the use of PHP? Then add PHP code in the same form to catch it. In foo.php your form will call foo.php on post. <html> <body> <form action="foo.php" method="post">. Once the form has been submitted it will call itself ( foo.php) and you can catch it via the PHP predefined variable $_SERVER as shown in the code below.

A GUI to open PHP/HTML/JS files in browser on http://localhost or file:/// scheme. Safari / Opera / Edge / IE or any other using configured custom script Click the button Open In Browser on StatusBar; In the editor, right click on the file see https://code.visualstudio.com/docs/editor/variables-reference  Yes PHP codes can't be downloadd using the browser only when using FTP or script that provides direct access to the server EricBruggema , Oct 11, 2008 royo Peon

Click it, and you see the entire source code for. I thought that was cool so I set out to recreate it my own way. button, when clicked, adds a hash-tag to the page, that means that the “Back” button in the browser will work. I added this to the element creation syntax we're using to create the <pre> : Once you're done viewing the source code on a web page, you may want to exit or close it. Closing the source code depends on the method you've used to open it. If you've used the Ctrl+U method (except for Edge) or the right-click method, close the new tab that opened in the top of your browser window.

Comments
  • Maybe your $file variable must be just $file = "clientMain.php"; ? Why you are using $_GET ?
  • I am not 100% sure but I think highlight_file() take the filename. so in your case highlight_file('clientMain.php')
  • The $_GET global contains input from the query string. It doesn't take information from the filesystem. You are thinking of something along the lines of fopen()
  • Please not that passing user input to highlight_file is a huge security risk
  • @SamanthaKounis that's a different question. Please create a new one
  • Thank-you so much for your response! This really clarifies what the problem was exactly and why the solution works. Really appreciate the effort put into the answer, thank-you!