Security of PHP script, embedded or otherwise

Question

I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as \"webpage.php\") or on a PHP script that ma

Answer 1

what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script?

Security holes aside, this typically happens when someone's messing with the server or migrating the site across servers and the PHP files have been dumped into a folder that's not set up to execute PHP. This is the price you pay for PHP deployment being as simple as dropping files into a folder.

Whilst it's never ideal to leak PHP source, you can mitigate the situation by putting all your sensitive deployment information (like database passwords) in a PHP include file that lives outside the web root (the folder mapped to the / URL, often known as htdocs). It's much harder to screw up the configuration to leak that.

(For larger, more modular projects you will typically be doing the bulk of your processing work in includes anyway.)